Critical Chipset Bugs Open Millions of Android Devices to Remote Spying

Three security vulnerabilities have been disclosed in the audio
decoders of Qualcomm and MediaTek chips that, if left unresolved,
could allow an adversary to remotely gain access to media and audio
conversations from affected mobile devices.

According to Israeli cybersecurity company Check Point^[1], the issues could be
used as a launchpad to carry out remote code execution (RCE)
attacks simply by sending a specially crafted audio file.

“The impact of an RCE vulnerability can range from malware
execution to an attacker gaining control over a user’s multimedia
data, including streaming from a compromised machine’s camera,” the
researchers said in a report shared with The Hacker News.

“In addition, an unprivileged Android app could use these
vulnerabilities to escalate its privileges and gain access to media
data and user conversations.”

The vulnerabilities are rooted in an audio coding format
originally developed and open-sourced by Apple in 2011. Called the
Apple Lossless Audio Codec (ALAC^[2]) or Apple Lossless, the
audio codec format is used for lossless data compression of digital
music.

Since then, several third-party vendors, including Qualcomm and
MediaTek, have incorporated the Apple-supplied reference audio
codec implementation as the basis for their own audio decoders.

And while Apple has consistently patched and remediated security
flaws in its proprietary version of ALAC, the open-sourced variant
of the codec has not received a single update since it was uploaded to
GitHub^[3] 11 years ago on October
27, 2011.

The vulnerabilities discovered by Check Point relate to this
ported ALAC code, two of which have been identified in MediaTek^[4]
processors and one in Qualcomm^[5]
chipsets –

• CVE-2021-0674^[6] (CVSS score: 5.5,
  MediaTek) – A case of improper input validation in ALAC decoder
  leading to information disclosure without any user interaction
• CVE-2021-0675^[7] (CVSS score: 7.8,
  MediaTek) – A local privilege escalation flaw in ALAC decoder
  stemming from out-of-bounds write
• CVE-2021-30351^[8] (CVSS score: 9.8,
  Qualcomm) – An out-of-bound memory access due to improper
  validation of number of frames being passed during music
  playback

In a proof-of-concept exploit devised by Check Point, the
vulnerabilities made it possible to “steal the phone’s camera
stream,” said security researcher Slava Makkaveev, who is credited
with discovering the flaws alongside Netanel Ben Simon.

Following responsible disclosure, all the three vulnerabilities
were closed by the respective chipset manufacturers in December
2021.

“The vulnerabilities were easily exploitable,” Makkaveev
explained. “A threat actor could have sent a song (media file) and
when played by a potential victim, it could have injected code in
the privileged media service. The threat actor could have seen what
the mobile phone user sees on their phone.”