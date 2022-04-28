Millions of Android users at risk of cyber attack, major vulnerability ALAC Bugs found in Qualcomm and MediaTek chipsets

According to a new study, millions of Android users have been found to be at risk of cyber. This study has shown that the vulnerability was present on Android devices since 2011. This new flaw was found in the APPLE Lossless Audio Codec (ALAC), which allowed hackers to access the device’s audio as well as its gallery. The study claimed that two-thirds of all smartphones sold in 2021 are vulnerable to this attack. Especially those devices, which had Qualcomm and MediaTek chipsets.

According to the study released by Check Point, the world’s two largest mobile chipset makers, MediaTek and Qualcomm, have used ALAC audio coding in mobile handsets. Due to which the privacy of millions of Android users is at risk. The report also claims that Qualcomm and MediaTek have acknowledged the flaws and have since rolled out the fix.

What is ALAC

Apple Lossless Audio Codec (ALAC), also known as Apple Lossless. is an audio coding developed by Apple Inc. and first introduced in 2004 for digital music. After this, in late 2011, Apple made the codec open source. ALAC has since been integrated with many non-Apple audio playback devices and programs. Including Android-based smartphones, Linux and Windows media players and converters.

Not updated since 2011

ALAC used to be updated for security reasons, but has not been updated since 2011. Therefore the code supplied by third parties is being used on the basis of their ALAC. Due to which the risk has increased. The study claims that Qualcomm and MediaTek have ported vulnerable ALAC codes to their audio decoders.

How will it affect the users

Check Point researchers found that ALAC flaws can be used by hackers to remote code (RCE) on mobile devices via audio files. Which can give access to malware and viruses to your device and this can put your data at risk. The vulnerabilities were fixed by both MediaTek and Qualcomm in December 2021.