IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Qualcomm and Mediatek flaws left millions of Android users at risk

An open source audio codec used by chipset firms is believed to have put two-thirds of Android users' private calls and files at risk

Qualcomm and MediaTek, two of the biggest chipmakers in the world, have been found to have used vulnerable technology in smartphones that could have led to privacy violations of Android users.

Check Point Research (CPR) discovered a number of vulnerabilities in the Apple Lossless Audio Codec (ALAC), a component responsible for compressing audio data, that could have led to users’ calls and stored images being accessed by cyber attackers.

The researchers believe that more than two-thirds of the world’s Android smartphones were vulnerable to the attacks at some point.

The vulnerabilities were found in the ALAC code which Apple made open source in 2011; the ALAC has since been installed in a wide variety of non-Apple audio playback devices and programmes - not just Android smartphones, CPR said.

Apple has since updated the code since it went open source, but the code in question had not been updated since 2011 and both Qualcomm and MediaTek ported the vulnerable ALAC code into their audio decoders.

Attackers could have used the vulnerabilities to conduct a remote code execution (RCE) attack on smartphones by sending victims a malformed audio file, the researchers said, but will not unveil full details of how the vulnerabilities can be exploited until they are presented at the CanSecWest conference in May.

Related Resource

Microsoft 365 protection made MSPEasy

The cloud protection solution built for MSPs

Whitepaper cover with layered graphic of tablet, envelope and padlockFree Download

“We've discovered a set of vulnerabilities that could be used for remote execution and privilege escalation on two-thirds of the world's mobile devices,” said Slava Makkaveev, reverse engineering and security research, at CPR. “The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service.

“The threat actor could have seen what the mobile phone user sees on their phone. In our proof of concept, we were able to steal the phone's camera stream. What is the most sensitive information on your phone? I think it's your media: audio and videos. An attacker could have stolen that through these vulnerabilities. The vulnerable decoder is based on the code shared by Apple 11 years ago.”

MediaTek tracks both vulnerabilities as CVE-2021-0674 and CVE-2021-0675, scoring 5.5 and 7.8 out of ten on the CVSSv3 threat severity scale, and were patched by the company in December 2021.

Qualcomm tracks the security vulnerability as CVE-2021-30351, scoring 9.8, a critical rating, and affected a score of Snapdragon products. Qualcomm patched the issue in December 2021 and CPR waited until this week to publish details to allow users time to patch.

CPR recommends all Android users regularly patch their phones to the latest version that Google issues on a monthly basis.

Featured Resources

The 3D skills report

Add 3D skills to your creative toolkits and play a sizeable role in the digital future

Free Download

The increasing need for environmental intelligence solutions

How sustainability has become a major business priority and is continuing to grow in importance

Free Download

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

Solve global challenges with machine learning

Tackling our word's hardest problems with ML

Free Download

Recommended

How to unroot Android
Google Android

How to unroot Android

24 Nov 2022
Citi to transition 70% of its workforce to Snapdragon mobile devices
Laptops

Citi to transition 70% of its workforce to Snapdragon mobile devices

17 Nov 2022
Qualcomm targets slimmer smart glasses with first dedicated AR SoC
Hardware

Qualcomm targets slimmer smart glasses with first dedicated AR SoC

16 Nov 2022
Qualcomm Snapdragon Summit: Snapdragon 8 Gen 2 platform unlocks new AI capabilities
components

Qualcomm Snapdragon Summit: Snapdragon 8 Gen 2 platform unlocks new AI capabilities

15 Nov 2022

Most Popular

Windows 10 users locked out of devices by unskippable Microsoft 365 advert
bugs

Windows 10 users locked out of devices by unskippable Microsoft 365 advert

3 Feb 2023
Why energy efficient technology is key to a sustainable business
Sponsored

Why energy efficient technology is key to a sustainable business

16 Jan 2023
What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023