Researchers discovered a hole in an audio coding scheme that could have been used by hackers to remotely target Android phones by simply transmitting a malicious audio file.
According to security firm Check Point, which discovered the weakness last year, it impacted the Apple Lossless Audio Codec (ALAC). The codec is open-source and commonly utilized on platforms other than iPhones, like as Android smartphones.
According to Check Point, Apple has been patching the proprietary version of ALAC for years, while the open-source version has been unpatched since 2011. As a result, the security company discovered a critical flaw in the way a couple of big corporations were utilizing ALAC.
"In a blog post, Check Point Research uncovered that Qualcomm and MediaTek, two of the world's leading mobile chipmakers, copied the susceptible ALAC code into their audio decoders, which are used in more than half of all smartphones globally," the security firm noted.
According to Qualcomm and MediaTek security warnings, the weakness affected dozens of chipsets from both firms, including the Snapdragon 888 and 865, potentially affecting millions of Android handsets.
By delivering a maliciously constructed audio file capable of triggering the ALAC issue, an attacker might remotely execute computer code on an Android phone. The hacker might next try to install further malware on the device or gain access to the camera.
According to Check Point, existing mobile apps might exploit the issue to acquire access to a vulnerable Android smartphone's media folder without asking the user for permission.
The good news is that Qualcomm and MediaTek corrected the bug shortly after it was discovered in December. Check Point also discovered no indication that the vulnerability had ever been exploited.