- A major vulnerability impacted the vast majority of 2021 Android phones.
- The issue is caused by compromised ALAC audio code.
- The vulnerable code was included in MediaTek and Qualcomm audio decoders.
A bug in the Apple Lossless Audio Codec (ALAC) impacts two-thirds of Android devices sold in 2021, leaving unpatched devices vulnerable to takeover.
ALAC is an audio format developed by Apple for use in iTunes in 2004, providing lossless data compression. After Apple open-sourced the format in 2011, companies worldwide adopted it. Unfortunately, as Check Point Research points out, while Apple has updated its own version of ALAC over the years, the open source version was not updated with security fixes since it was made available in 2011. As a result, an unpatched vulnerability was included in chipsets made by Qualcomm and MediaTek.