Cybersecurity researchers have detailed a now-patched safety flaw impacting Monkey’s Audio (APE) decoder on Samsung smartphones that would result in code execution.
The high-severity vulnerability, tracked as CVE-2024-49415 (CVSS rating: 8.1), impacts Samsung gadgets working Android variations 12, 13, and 14.
“Out-of-bounds write in libsaped.so previous to SMR Dec-2024 Launch 1 permits distant attackers to execute arbitrary code,” Samsung mentioned in an advisory for the flaw launched in December 2024 as a part of its month-to-month safety updates. “The patch provides correct enter validation.”
Google Venture Zero researcher Natalie Silvanovich, who found and reported the shortcoming, described it as requiring no consumer interplay to set off (i.e., zero-click) and a “enjoyable new assault floor” underneath particular circumstances.
Significantly, this works if Google Messages is configured for wealthy communication companies (RCS), the default configuration on Galaxy S23 and S24 telephones, because the transcription service domestically decodes incoming audio earlier than a consumer interacts with the message for transcription functions.
“The perform saped_rec in libsaped.so writes to a dmabuf allotted by the C2 media service, which at all times seems to have measurement 0x120000,” Silvanovich defined.
“Whereas the utmost blocksperframe worth extracted by libsapedextractor can be restricted to 0x120000, saped_rec can write
as much as 3 * blocksperframe bytes out, if the bytes per pattern of the enter is 24. Which means an APE file with a big blocksperframe measurement can considerably overflow this buffer.”
In a hypothetical assault state of affairs, an attacker may ship a specifically crafted audio message through Google Messages to any goal gadget that has RCS enabled, inflicting its media codec course of (“samsung.software program.media.c2”) to crash.
Samsung’s December 2024 patch additionally addresses one other high-severity vulnerability in SmartSwitch (CVE-2024-49413, CVSS rating: 7.1) that would permit native attackers to put in malicious functions by profiting from improper verification of cryptographic signature.