Critical bug on Android can access your media files

Android ALAC vulnerability highlighted

If you use Apple Lossless Audio Codec (ALAC), you could be a target. Apparently, security researchers have discovered that devices powered by Qualcomm and MediaTek SoCs that use Apple Lossless Audio Codec (ALAC) are vulnerable to remote code execution due to an implementation flaw.

Apple released its open-source lossless audio compressions called ALAC in 2011 and has updated the same with constant security fixes and more.

However, some vendors have insisted on not upgrading this codec, and unfortunately that includes Qualcomm and MediaTek. For context, these are two of the largest chipset makers and with a large number of units on the market.

The ALAC encoded error on Android

According to the details currently available, the vulnerability in the ALAC format allows an attacker to release an executable code on the target device. The file has been spoofed as an audio file named ALHACK, tricking the user into opening the file containing the malicious code.

Once opened, the malicious code executes itself and can cause serious problems ranging from changing device settings to a data breach to accessing hardware components that violate user privacy and security, as well as taking over an account.

The analysts will reveal more details about the vulnerability at the upcoming CanSecWest event in May 2022.

Android ALAC Vulnerability

So far, the vulnerability has been fixed by both Qualcomm and MediaTek as of December 2021. You can follow the same CVE-2021-0675, CVE-2021-0674 and CVE-2021-30351. However, as Bleeping Computer puts it, the implementations of both chipsets can suffer from out-of-bounds read and write.

This could effectively lead to information disclosure and the potential threat actor could be given higher privileges on the affected device without any difficulty.

How can I protect my Android devices?

We can be some ways to stay ahead and stay free from this vulnerability. One is that the Android OS of the device will be updated with the December 2021 security patch and later.

There is an option to get Android updates from third-party Android distributions if your device stops receiving security updates. As usual, opening or opening unknown or unrestricted audio files is a threat and should be avoided if the sender is unknown.

Leave a Comment