Serious Android Vulnerability Exposed Stored Media Files To An Adversary

Researchers have discovered a critical security vulnerability in Android devices that exposed users’ media files. While the firm behind the vulnerable component (ALAC) has released fixes, it mainly depends on the third-party vendors to forward the patches to the end-users.

Android Vulnerability Exposed Stored Media Files

Check Point Research found a critical Android vulnerability that exposed stored media files to potential attackers. Their post states that the vulnerability resides in the Apple Lossless Audio Codec (ALAC) format.

Specifically, ALAC is an open-source audio coding format from Apple Inc. meant for lossless digital audio compression. Many Android vendors also use ALAC, and hence, any vulnerability in its code signifies that the bug affects the respective devices using it.

According to Check Point Research, the vulnerability in question affects Android devices from two chipset makers – Qualcomm and MediaTek. Exploiting this vulnerability allows an attacker for remote code execution attacks on the target devices via maliciously crafted audio files.

Describing the impact of this vulnerability, the post stated,

The impact of an RCE vulnerability can range from malware execution to an attacker gaining control over a user’s multimedia data, including streaming from a compromised machine’s camera.
In addition, an unprivileged Android app could use these vulnerabilities to escalate its privileges and gain access to media data and user conversations.

Patches Deployed From The Chipset Makers

Following this discovery, the researchers reported the matter to MediaTek and Qualcomm. Consequently, MediaTek released the bug fixes for CVE-2021-0674 and CVE-2021-0675 and confirmed the patch rollout with the December 2021 security bulletin. Likewise, Qualcomm also fixed the vulnerability (CVE-2021-30351) with December 2021 updates.

Nonetheless, releasing these patches doesn’t mean that the users are safe. It now depends on the third-party vendors selling the respective devices to release the patches to the end-users. However, since Android 2021 updates have also released these fixes, users can check their devices for the current patch level and ensure they’re running at least the Android December 2021 patch or higher.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients