Android smartphone at risk of privacy, if patched prior to December 2021

About two-thirds of all Android smartphones sold in 2021 would be exposed to a security breach which puts users’ privacy at risk. This is the premise of the new report by Check Point Research which he identified vulnerabilities attributable to the ALAC format that would allow an attacker to remotely access the user’s personal data. Mediatek And Qualcomm they used ALAC audio coding, so devices equipped with a chipset from either company would be exposed.

The good news is that the two companies have released corrective patches in December last year. Specifically, Qualcomm has fixed the CVE-2021-30351 vulnerability, Mediatek the CVE-2021-0674 and CVE-2021-0675 vulnerabilities. The problem it therefore arises for whoever possesses one smartphone with monthly security patches prior to December 2021.

VULNERABILITY OF THE APPLE ALAC FILE (OPEN SOURCE VERSION)

In short: The vulnerabilities relate to the ALAC (Apple Lossless Audio Codec) format, the audio encoding format was developed by Apple and introduced in 2004; In 2011, Apple decided to make the codec open source and has since been integrated into numerous non-Apple audio playback devices and software, including Android smartphones and media players for Linux and Windows. Apple has updated the codec on several occasions by correcting security problems, but the shared code (the open source one) has not been corrected since 2011. Qualcomm and Mediatek have used this unpatched code in their respective audio decoders, until the fixes introduced in December last.

Specifically, the incorrect ALAC format vulnerabilities:

  • would allow the hacker to remotely execute code on a mobile device via an audio file. The remote attack can lead to the execution of malware that allows the hacker to gain control of the user’s multimedia data, including that captured by the camera.
  • they could be exploited by an Android app to gain access to the user’s multimedia data and conversations.

On the user side there is little you can do to protect yourself other than verify yourself have the latest security patches installed. The problem mainly concerns devices no longer supported with the December 2021 patches, in other cases a simple update is enough.


Leave a Comment