On September 21, 2024, a critical security vulnerability was identified by Google researchers in the Monkey’s Audio (APE) decoder used in Samsung’s flagship Galaxy S23 and S24 devices.
Now it got fixed after 3 months since the Google Project Zero team disclosed the vulnerability with a 90-day deadline.
The latest update addresses critical vulnerabilities within the Android operating system, incorporating essential security patches from both Google and Samsung.
Notably, it resolves CVE-2024-49415, which impacted Android versions 12, 13, and 14 allow allows remote attackers to execute arbitrary code.
The flaw, which involves an out-of-bounds write in the libsaped.so library, could allow malicious actors to crash the system process or potentially exploit the issue further, leading to serious consequences.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
Vulnerability Details
The issue lies in the saped_rec function of the libsaped.so library. This function writes data into a DMA buffer allocated by the C2 media service.
“While the buffer has a fixed size of 0x120000, the function can write up to three times the maximum allowable size under certain conditions. Specifically, when processing APE files with a large blocksperframe value and 24-bit input samples, the buffer is significantly exceeded, causing memory corruption.” Google researchers explained.
This bug is particularly alarming because it can be remotely triggered without user interaction—a “0-click” vulnerability.
On Samsung devices, Google Messages is configured to use Rich Communication Services (RCS) by default. This configuration means that if a malicious APE audio file is sent as an RCS message, the system could attempt to transcribe the file without any user involvement. This action would lead to a crash in the target device’s C2 process.
Researchers have demonstrated methods to reproduce the crash locally and remotely:
- Transfer the malicious APE file (
overflow.ape) to the device. - Play the file using the “My Files” application.
- Set up a test device to send RCS messages to the target Samsung phone.
- Replace the RCS media cache file with the malicious APE file.
- Send an audio message to the target device.
Upon receiving the malicious file, the target device’s C2 service crashes, generating debug logs that confirm the buffer overflow. The relevant process crash details include a SIGSEGV (segmentation fault) in the saped_rec function of the libsaped.so library.
The vulnerability is highly concerning due to its 0-click nature, allowing attackers to target devices without requiring any user action. While it is unclear if the bug is exploitable beyond crashing the process (e.g., executing arbitrary code), it remains a serious risk, especially given the memory corruption involves adjacent DMA and non-DMA data.
Samsung Galaxy S23 and S24 devices are confirmed to be affected, with no evidence yet of other Samsung models or Android phones being impacted.
The vulnerability was reported subject to Google’s Project Zero disclosure policy, which provides vendors 90 days to release fixes before making the issue public.
If the fix is deployed before the deadline, the details will become public after 30 days. The disclosure deadline for this issue is set for December 19, 2024, unless a patch is released earlier.
Google Project Zero’s disclosure policies aim to encourage swift resolutions to critical flaws while enhancing user security.
Google advised the user to apply the following steps: Until a patch is released, users are advised to:
- Disable RCS messaging if it is unnecessary.
- Avoid opening or playing untrusted audio files through messaging apps or file browsers.
- Apply security updates from Samsung as soon as they are available.
The Fix
At the recent Samsung patch update, among the critical vulnerabilities identified, five Common Vulnerabilities and Exposures (CVE) have been prioritized for immediate attention. including this 0-click vulnerability:
These vulnerabilities pose significant risks as they enable attackers to execute arbitrary code, potentially leading to unauthorized access to sensitive information and control over affected devices.
This vulnerability underscores the risks of modern smartphone ecosystems where media handling services and messaging protocols introduce new attack vectors. Users are encouraged to stay vigilant and ensure their devices are updated with the latest security patches.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!