Jan 10, 2025Ravie LakshmananCybersecurity / AndroidCybersecurity researchers have detailed a now-patched security flaw impacting Monkey's Audio (APE) decoder on Samsung smartphones that could lead to code execution.The high-severity vulnerability, tracked as CVE-2024-49415 (CVSS score: 8.1), affects Samsung devices running Android versions 12, 13, and 14."Out-of-bounds write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code," Samsung said in an advisory for the flaw released in December 2024 as part of its monthly security updates. "The patch adds proper input validation."Google Project Zero researcher Natalie Silvanovich, who discovered and reported the shortcoming, described it as requiring no user interaction to trigger (i.e., zero-click) and a "fun new attack surface" under specific conditions.Particularly, this works if Google Messages is configured for rich communication services (RCS), the default configuration on Galaxy S23 and S24 phones, as the transcription service locally decodes incoming audio before a user interacts with the message for transcription purposes."The function saped_rec in libsaped.so writes to a dmabuf allocated by the C2 media service, which always appears to have size 0x120000," Silvanovich explained."While the maximum blocksperframe value extracted by libsapedextractor is also limited to 0x120000, saped_rec can write up to 3 * blocksperframe bytes out, if the bytes per sample of the input is 24. This means that an APE file with a large blocksperframe size can substantially overflow this buffer."In a hypothetical attack scenario, an attacker could send a specially crafted audio message via Google Messages to any target device that has RCS enabled, causing its media codec process ("samsung.software.media.c2") to crash.Samsung's December 2024 patch also addresses another high-severity vulnerability in SmartSwitch (CVE-2024-49413, CVSS score: 7.1) that could allow local attackers to install malicious applications by taking advantage of improper verification of cryptographic signature.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE