Vulnerabilities in open-source Apple audio software may have risked millions of Android phones

Security experts at CheckPoint have found vulnerabilities in a widely used audio decoder, which could have allowed attackers to execute remote code execution (RCE) attacks and steal audio and video files from millions of smartphones. 

CheckPoint experts believe two-thirds of the smartphones in the world could have been at risk as the audio decoder was used by Qualcomm and MediaTek, two of the leading chip suppliers, accounting for over 60% of the smartphone market as of Q4 2021. 

In an RCE attack, attackers can take control over a compromised device and do anything they want. 

CheckPoint claims it had alerted both Qualcomm and MediaTek about the vulnerabilities last year and by December 2021 both had released patches to fix them. In response to our query, a Qualcomm spokesperson said, “providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available.” 

MediaTek on its part said, “MediaTek takes device security extremely seriously. Once MediaTek was notified of this issue we worked with our customers and helped them quickly implement patches to ensure a safe computing experience for consumers.”

The vulnerabilities were found specifically in Apple Lossless Audio Codec (ALAC), which was developed by Apple in 2004 and made open source in 2011. After which, the decoder was deployed in millions of non-Apple devices including Android-based smartphones, Linux and Windows media players, and converters. 

According to CheckPoint, Apple has updated the proprietary version of the decoder multiple times, fixing the vulnerabilities in the process. However, the open-source version has not been patched since 2011. 

“The vulnerabilities were easily exploitable. A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code into the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone,” Sundar Balasubramanian, managing director, India, and SAARC Check Point Software said in a statement. 

Balasubramanian warns that the vulnerabilities could have been explored easily by tricking users into running a malicious audio file or installing a malicious application. However, as of now, CheckPoint hasn’t found any evidence to indicate that the vulnerabilities have been exploited. 

Devices that have received Android security patch level for December 2021 are no longer vulnerable, assured Balasubramanian.