Security researchers have discovered that millions of Android devices are vulnerable to an attack that causes them to execute code remotely, due to flaws in an audio codec that Apple released years ago and has not been patched since.
Researchers at Check Point found a bug in the Apple Lossless Audio Codec (ALAC), an audio compression technology that Apple released in 2011, after which ALAC was built into Android devices and audio drivers, according to ZNet.
The program has not been updated since 2011.
The problem, as the Check Point researchers note, is that while Apple has patched and updated its own version of the ALAC, the open source code of ALAC has not been updated since 2011 via Android, and it contains a fatal flaw that allows remote code execution.
A remote attacker could exploit the flaw by sending a corrupted audio file to the target, allowing malware to be executed on the target Android device. The researchers said the flaw could lead to remote access to victim-specific things like media and voice chats.
The severity of the Android bug
Cybersecurity companies have given a critical rating of 9.8 out of 10 potential for this major flaw affecting millions of devices running Android 8.1, 9.0, 10.0 and 11.0.
The number of vulnerable Android devices depends on how many people have installed software updates without fixing flaws, and cybersecurity firm Check Point estimates that two-thirds of smartphones sold in 2021 are vulnerable to the flaw.
These bugs affect Android devices with MediaTek and Qualcomm chipsets, but the good news is that the bug has been fixed in the December security update, yet it’s still up to each Android phone manufacturer to follow through on this. defect.