Nasty Android flaw allowed hackers to hijack devices via audio files — how Apple is involved

phone bug
(Image credit: Getty Images)

If you have an Android phone with a Qualcomm or MediaTek chipset (this semiconductor duo supplies 95% of U.S. Android devices), your device was vulnerable to a gnarly flaw that allowed hackers to hijack it.

According to Check Point investigators, this bug stems from the Apple Lossless Audio Codec (ALAC). You may be wondering, "What does Apple have to do with an Android vulnerability?"

Well, as it turned out, ALAC (an audio format that rolled out 18 years ago that introduced lossless audio over the web) has an open-source variant Qualcomm and MediaTek uses, and well, it hadn't been updated since 2011 (h/t Ars Technica). Qualcomm and MediaTek ported this obsolete audio coding format into their audio decoders, which jeopardized countless devices.

Apple users don't have to worry. The proprietary version of ALAC was updated over the years with several updates and patches.

How hackers could use malicious audio files to hijack Android devices

Check Point researchers uncovered that Android-based ALAC allowed attackers to use remote execution attacks (RCE) via malicious audio files. "RCE attacks allow an attacker to remotely execute malicious code on a computer," Check Point said in its report.

Using RCE, hackers can execute malware on the victims' device, hijack users multimedia data (e.g. stream from a compromised machine's camera), gain access to victims' media data and conversations, and more.

Fortunately, Check Point disclosed its research findings to Qualcomm and MediaTek; the vulnerabilities are now fixed. Both semiconductor companies released patches for the ALAC flaw as of December 2021.

We can now breathe a sigh of relief over the ALAC vulnerability patch, but Ars Technica raised a spine-tingling question I'll leave you to mull over: "What other open-source libraries used by the chipmakers might be similarly out of date?"

Check Point investigators said they'll delve deeper into the technical details behind this audio codec vulnerability at the CanSecWest Conference in Vancouver.

Kimberly Gedeon

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!