Audio decoders of Qualcomm and Media Tek chips have been found to have three security vulnerabilities, and if the vulnerabilities are left unpatched, it could allow the attackers to remotely access media and audio conversations on affected mobiles.

Check Point, an Israeli cybersecurity firm, states that the vulnerabilities can lead to remote code execution (RCE) attacks via a specially crafted audio file.

“The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera,” the researchers said in a report shared with The Hacker News.

“In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.”

The vulnerabilities stem from an audio coding format that Apple originally developed and open-sourced in 2011.  The audio codec, known Audio Codec (ALAC) or Apple Lossless and the audio codec format, helps to compress data of digital music without any loss of data.

Since 2011 Qualcomm, Media Tek, and several third parties have developed their audio decoders using the Apple-supplied reference audio codec implementation.

The open-sourced variant of the codec hasn’t been updated since it was uploaded to Github 11 years ago (October 27, 2011), although  Apple has released patches and fixed security flaws in its proprietary ALAC.

Check Point found the vulnerabilities linked to the ported ALAC code and two of them exist in Media Tek processors and one in Qualcomm chipsets

  • CVE-2021-0674 (CVSS score: 5.5, MediaTek) – A case of improper input validation in ALAC decoder leading to information disclosure without any user interaction
  • CVE-2021-0675 (CVSS score: 7.8, MediaTek) – A local privilege escalation flaw in ALAC decoder stemming from out-of-bounds write
  • CVE-2021-30351 (CVSS score: 9.8, Qualcomm) – An out-of-bound memory access due to improper validation of number of frames being passed during music playback

In a proof-of-concept exploit devised by Check Point, The vulnerability can “steal the phone’s camera stream,” said security researcher Slava Makkaveev, who discovered the flaws alongside Netanel Ben Simon.

The three vulnerabilities were patched by chipset manufacturers in December 2021,as the flaws were made known to manufacturers under responsible disclosure.  

“The vulnerabilities were easily exploitable,” Makkaveev explained. “A threat actor could have sent a song (media file) and when played by a potential victim, it could have injected code in the privileged media service. The threat actor could have seen what the mobile phone user sees on their phone.”