Affiliate links on Android Authority may earn us a commission. Learn more.
ALAC bug left millions of Android devices vulnerable to takeover
- A major vulnerability impacted the vast majority of 2021 Android phones.
- The issue is caused by compromised ALAC audio code.
- The vulnerable code was included in MediaTek and Qualcomm audio decoders.
A bug in the Apple Lossless Audio Codec (ALAC) impacts two-thirds of Android devices sold in 2021, leaving unpatched devices vulnerable to takeover.
ALAC is an audio format developed by Apple for use in iTunes in 2004, providing lossless data compression. After Apple open-sourced the format in 2011, companies worldwide adopted it. Unfortunately, as Check Point Research points out, while Apple has updated its own version of ALAC over the years, the open source version was not updated with security fixes since it was made available in 2011. As a result, an unpatched vulnerability was included in chipsets made by Qualcomm and MediaTek.
See also: Lossless music streaming
According to Check Point Research, both MediaTek and Qualcomm included the compromised ALAC code in their chips’ audio decoders. Because of this, hackers could use a malformed audio file to achieve a remote code execution attack (RCE). RCE is considered the most dangerous kind of exploit since it does not require physical access to a device and can be executed remotely.
Using the malformed audio file, hackers could execute malicious code, gain control of a user’s media files, and access the camera’s streaming functionality. The vulnerability could even be used to give an Android app additional privileges, providing the hacker access to the user’s conversations.
Given MediaTek and Qualcomm’s position in the mobile chip market, Check Point Research believes the vulnerability impacts two-thirds of all Android phones sold in 2021. Fortunately, both companies issued patches in December of that year, which were sent downstream to device manufacturers.
Nonetheless, as Ars Technica points out, the vulnerability raises serious questions about the measures Qualcomm and MediaTek are taking to ensure the security of the code they implement. Apple had no problem updating its ALAC code to address vulnerabilities, so why did Qualcomm and MediaTek not do the same? Why did the two companies rely on decade-old code with no attempt to ensure it was safe and up-to-date? Most importantly, are there any other frameworks, libraries, or codecs being used with similar vulnerabilities?
While there are no clear answers, hopefully the seriousness of this episode will spur changes aimed at keeping users safe.