Check Point security researchers warn that millions of Android smartphones and tablets worldwide are vulnerable to malicious code attacks. This is due to the Apple audio codec used in old and weak code on the devices.
The Apple Lossless Audio Codec (ALAC) is suitable for lossless compression of digital music. The codec has been around since 2004. It has been open source since 2011 and is used by many to play audio across platforms. So do mobile phone chip manufacturers Qualcomm and MediaTek.
Malicious Code Attacks
In a report, security researchers mentioned that chip manufacturers issued a vulnerable code (CVE-2021-0674″Average“, CVE-2021-0675”high“, CVE-2021-30351”critical“). Manufacturers supply about 95 percent of Android devices with chips. As a result, millions of devices are likely to be at risk.
For the attack to succeed, the victim must run a prepared ALAC file. A remote attacker can execute malicious code on devices. If that works, he can usually take full control of the systems. Security researchers plan to provide more details about the vulnerabilities at the CanSecWest conference in May.
Check patch status
Both manufacturers claim that they released security patches in December 2021. For example, Google closed the Qualcomm vulnerability (CVE-2021-30351) on the day of the patch in the same month.
If you own an Android device, you should make sure that the patch level is at least December 2021. The problem is that not all devices receive security updates and many of them are vulnerable and still are.
(from)
