Apple released its open-sourced lossless audio compressions dubbed ALAC back in 2011 and has been updating the same with constant security fixes and more. However, some of the vendors have stuck to not upgrading this codec, and unfortunately, that includes Qualcomm and MediaTek. For context, these are two of the largest chipset makers and with a heavy share of units out in the market.
The ALAC coded flaw on Android
As per the details available at the moment, the vulnerability found in ALAC format involves an attacker releasing an executable code on the target device. The file is spoofed as an audio file named ALHACK where the user is talked into opening the file containing the malicious code.
The ALAC coded flaw on Android How to protect my Android devices?
Once accessed, the malicious code executes itself and can cause the severity of issues running from modifying device settings to a data breach to accessing hardware components breaching the privacy and security of the user as well as account take over. The analysts will shell out more details about the vulnerability at the upcoming CanSecWest event in May 2022.
So far, the vulnerability has been fixed by both Qualcomm and MediaTek as of December 2021. You can track the same CVE-2021-0675, CVE-2021-0674, and CVE-2021-30351. However, as Bleeping Computer puts it in words, the implementations put forth by both the chipsets could suffer from out-of-bounds reads and writes. This could effectively trigger information disclosure and the possible threat actor could get a higher privilege on the affected device without any hassle.
How to protect my Android devices?
We can be few ways to stay ahead and free from this vulnerability. One of them is getting the device’s Android OS updated with the December 2021 and later security patch. There’s an option to get Android updates from third-party Android distributions should your device no longer gets any security updates. As usual, opening or accessing unknown or unmetered audio files is a threat and should be avoided if the sender is unknown.