Security analysts have found that Android devices running on Qualcomm and MediaTek chipsets were vulnerable to remote code execution due to a flaw in the implementation of the Apple Lossless Audio Codec (ALAC). ALAC is an audio coding format for lossless audio compression that Apple open-sourced in 2011. Since then, the company has been releasing updates to the format, including security fixes, but not every third-party vendor using the codec applies these fixes. According to a report from Check Point Research, this includes Qualcomm and MediaTek, two of the world’s largest smartphone chip makers. The analysts have not provided many details about the actual exploitation of the flaws yet but promised to do so at the upcoming CanSecWest in May 2022. From the details available, the vulnerability enables a remote attacker to execute code on a target device by sending a maliciously crafted audio file and tricking the user into opening it. The researchers are calling this attack “ALHACK.” The impact of remote code execution attacks comes with severe implications, ranging from a data breach, planting and executing malware, modifying device settings, accessing hardware components such as the microphone and camera, or account takeover. The ALAC flaws were fixed by MediaTek and Qualcomm in December 2021 and are tracked as CVE-2021-0674 (medium severity with a 5.5 score), CVE-2021-0675 (high severity with a 7.8 score), and CVE-2021-30351 (critical severity with a 9.8 score). Fixes of remote code execution flaws in closed-source audio processing units are present almost in every monthly Android security update. However, exploiting them is rarely trivial, and the component vendors provide few technical details to reduce exploitation risk. For example, Android patches from April included nine fixes for critical vulnerabilities in closed-source components. One of them is CVE-2021-35104 (9.8 severity score) – a buffer overflow that led to improper parsing of headers while playing FLAC audio clips. The bug-affected chipsets are present in almost the entire range of products Qualcomm released over the past several years.
The standard security advice applies here: keep devices up to date. In this case, it means running the Android patch level “December 2021” or later. If the device no longer receives security updates from the vendor, installing a third-party Android distribution that still provides Android patches is a valid option. Finally, when receiving audio files from unknown or suspicious sources/users, it is best not to open them since they could trigger the vulnerability.