Security researchers have uncovered a flaw in an audio coding format that could’ve been exploited to help hackers remotely attack Android phones simply by sending a malicious audio file.

The flaw involved the Apple Lossless Audio Codec (ALAC), according to security firm Check Point, which uncovered the problem last year. The codec is open-sourced and used widely across non-iPhone devices, including Android smartphones.

For years now, Apple has been updating the proprietary version of ALAC, but the open-source version has remained unpatched since 2011, according to Check Point. This led the security firm to uncover a serious vulnerability in how a pair of major companies were implementing ALAC.

“Check Point Research has discovered that Qualcomm and MediaTek, two of the largest mobile chipset makers in the world, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide,” the security firm wrote in a blog post.

Security bulletins from Qualcomm and MediaTek indicate the flaw affected dozens of chipsets from both companies, including the Snapdragon 888 and 865, meaning millions of Android smartphones were affected.

The vulnerability could help an attacker remotely execute computer code on an Android phone by sending a maliciously crafted audio file, capable of triggering the ALAC flaw. From there, the hacker could try to install additional malware on the device or attempt to access the camera.

Existing mobile apps could also exploit the flaw to gain access to an affected Android smartphone’s media folder without asking the user for permission, according to Check Point.

The good news is that Qualcomm and MediaTek patched the flaw in December after the problem was first reported. Check Point also found no evidence hackers ever exploited the vulnerability.

To make sure you’re protected, you should check whether your phone has received the “2021-12-05” or later Android security patch. This can be usually done by going to the phone's Settings panel, and then going to "About phone," and checking the Android version.

The flaw affecting the Qualcomm devices has been named CVE-2021-30351. Meanwhile, MediaTek has assigned CVE-2021-0674 and CVE-2021-0675 as the official designations for the vulnerability. Check Point plans on revealing more details about the software bug at the CanSecWest conference, scheduled for May 18-20.

PC Magazine