A vulnerability was found on Android devices equipped with chipsets built by Qualcomm and MediaTek that could allow hackers to potentially hijack your device.
What is the security vulnerability?
A security vulnerability that resided on chipsets manufactured by Qualcomm and MediaTek, that are used in millions of Android devices, was uncovered by security experts.
The vulnerability allowed hackers to potentially commandeer an Android device to then execute malicious code.
Both chipset manufacturers released patches for the security loopholes late last year, but if you have not installed the latest patch, then you could still be exposed to this.
How does the flaw work?
The vulnerability existed in an audio format created by Apple called ‘Apple Lossless Audio Codec’ – ALAC for short. It was introduced in 2004 to deliver lossless audio over the Internet. Qualcomm and MediaTek used an open-source version of this, but Check Point Research revealed they rather foolishly did not update it since 2011 – so it had been vulnerable to exploits for years.
The ALAC bug resulted in it being able to retrieve data outside of its allocated memory limit, which hackers would take advantage of by forcing the decoder to carry out malicious code as there was no threshold in place.
This type of issue allows hackers to execute something called a ‘Remote Code Execution’ attack (RCE) that could result in the attacker gaining control over the device’s data or even operating its camera, without any physical access required.
Android users who want to know if their device is patched can check the security patch level in the OS settings.
What action should you take?
As mentioned, both chipset manufacturers released patches last year, but you should check that your device has in fact installed this patch. If you go to settings and look for operating system version, if it shows a date prior to January 2022 then your device could still be susceptible to the bug and therefore you should look to update your OS immediately.
This raises important questions about how serious Qualcomm and MediaTek are about ensuring the code they use is secure and patched regularly. Apple were able to address the vulnerabilities, but why did these manufacturers not – and are there other libraries, codecs or frameworks they use that are just as exploitable?
if you would like further advice or information on this subject, don’t hesitate to contact us.