Some Android Devices May Have Media File Security Vulnerability

Do you have an Android device?  Is it built around a Qualcomm or MediaTek chipset?  If you answered yes to both of those questions, be aware that researchers at Check Point have recently discovered an issue which could put your device at risk.

The team discovered a flaw in the implementation of the ALAC (Apple Lossless Audio Codec) which was open-sourced back in 2011.  The flaw could allow remote code execution on your device and unfortunately, Qualcomm and MediaTek are two of the industry’s largest chip manufacturers.

The good news is that both Qualcomm and MediaTek acted quickly, and this issue has already been resolved.  The problem involved three separate flaws tracked as CVE-2021-0674 (medium severity with a 5.5 score), CVE-2021-0675 (high severity with a 7.8 score), and CVE-2021-30351 (critical severity with a 9.8 score).

While MediaTek did not release a formal statement about the matter, Qualcomm did.

It reads in part, as follows:

“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available.”

If you haven’t installed any security patches for your device since December of last year, grab the latest and install it at your earliest convenience and you’ll be all set.  Until then, be sure not to open any audio files from unknown sources which is good advice even after you’ve installed the patch.  One can never be too cautious.

Kudos to the sharp-eyed researchers at Check Point and to both Qualcomm and MediaTek for their fast action here.  That’s how it’s done.