A security flaw was discovered in Android phones that use chipsets made by Qualcomm and MediaTek. This makes millions of mobile phones in danger of being infiltrated by hackers.

The security vulnerability found stemmed from the Apple Lossless Audio Codec or ALAC, an audio format that Apple launched in 2004 to provide lossless data compression for digital music.

After being available open source in 2011, this codec is also widely used by non-Apple devices, including Android phones.

Over the years Apple has kept ALAC updated to patch security loopholes and other bugs. But according to a Check Point Research report, the open source version of ALAC used by Qualcomm and MediaTek has never been updated.

For your information, based on IDC data, 48.1% of all Android phones sold in the US were powered by MediaTek in Q4 2021, while Qualcomm currently holds 47% of the market.

According to a report quoted from the Check Point Research page, Monday (25/4/2022), because of this security vulnerability, hackers could use a flawed audio file to carry out remote code execution (RCE) attacks.

RCE is one of the most dangerous types of exploits because these attacks can be launched without requiring physical access to the device and can be executed remotely.

The impact of an RCE vulnerability can range from malware execution to attackers gaining control over a user’s multimedia data, including streams from compromised machine cameras.

Not only that, this security vulnerability can also give access to Android applications, and can be used by hackers to access data and eavesdrop on user conversations.

The good news is that the two chipset providers claimed to have patched the security gap in December 2021.