Is your Android phone at risk?
By Paul Rose Jr. for Wealth of Geeks
It's almost the time of year (May) when Google rolls out their latest annual Android operating system update. Some users were expecting it to come sooner this year, in part to combat the overheating issue, as well as the Android Auto bug. Thankfully, Google is finally releasing Android 13 Beta 1. But for two-thirds of Android users, a larger problem looms - ALHACK.
To be clear, a patch to fix the vulnerability has already been issued by major phone chip manufacturers Qualcomm and MediaTek, as of December 2021. But if it's been a while since you updated your phone, your device may still be vulnerable to a malicious backdoor software attack.
Wait, There's Apple in my Android?
To fully understand the problem, we have to go back to 2011. That's when Apple open-sourced the codec for lossless audio. Released in 2004, the Apple Lossless Audio Codec, or ALAC was designed to give the best digital audio sound from the smallest size file possible. It's what allowed compressed audio files to be played on iPhones and iPods, as well as Macs, at professional level sound quality.
While they would sometimes be a serious drain on the battery, the file size was half of that of an uncompressed record, allowing many more songs to be saved. In 2011, Apple released the codec details on the Apache license server, and many other companies snatched it up to improve their operating systems and chipsets.
Back Door Vulnerability
Unfortunately, an unexpected side effect of using the ALAC codec as released was the ability for hackers to use a malformed audio file to game the system. The audio file that appears to be damaged opens the phone to remote access.
Hackers don't have to be anywhere near the phone to execute it, granting them access to your device, including listening in on conversations and even streaming live video. The Remote Code Execution (RCE) attack also allowed hackers to change device privileges, giving them access to data saved on the phone that even the user can't see.
While Apple has constantly updated and reworked their in-house ALAC codec over the years, they never updated the open source. Therefore, the vulnerability was left undiscovered until Check Point Research discovered it and reached out to Qualcomm and MediaTek. Thankfully, the two major tech companies quickly acted to protect their users.
The Fix is In
Patches that repaired the codec were issued in December of 2021, and sent through to phone manufacturers, allowing them to update the coded before more phones were sent out. But that still leaves millions of Android phones made and sold in 2021 that could still be at risk. Especially if you're more cautious about updating to Beta releases or just in the dark about the danger to your technology.
Regardless of your usual approach, experts are recommending that all Android users download the latest security updates, at the very least to protect their devices. By the way, there's a possibility of Google releasing Android 13 Beta 2 in late May, so now would be the time to update and avoid any new bugs being discovered.
Hopefully this will serve as a lesson to the top two Android chip manufacturers to not cut corners and double check all of the tech they work on, rather than passing that risk off onto the eventual consumer. It's not a price Android phone users should have to pay.