Cybersecurity researchers have detailed a now-patched safety flaw impacting Monkey’s Audio (APE) decoder on Samsung smartphones that would result in code execution.
The high-severity vulnerability, tracked as CVE-2024-49415 (CVSS rating: 8.1), impacts Samsung units operating Android variations 12, 13, and 14.
“Out-of-bounds write in libsaped.so previous to SMR Dec-2024 Launch 1 permits distant attackers to execute arbitrary code,” Samsung mentioned in an advisory for the flaw launched in December 2024 as a part of its month-to-month safety updates. “The patch provides correct enter validation.”
Google Venture Zero researcher Natalie Silvanovich, who found and reported the shortcoming, described it as requiring no consumer interplay to set off (i.e., zero-click) and a “enjoyable new assault floor” below particular circumstances.
Significantly, this works if Google Messages is configured for wealthy communication providers (RCS), the default configuration on Galaxy S23 and S24 telephones, because the transcription service regionally decodes incoming audio earlier than a consumer interacts with the message for transcription functions.
“The perform saped_rec in libsaped.so writes to a dmabuf allotted by the C2 media service, which at all times seems to have dimension 0x120000,” Silvanovich defined.
“Whereas the utmost blocksperframe worth extracted by libsapedextractor can be restricted to 0x120000, saped_rec can write as much as 3 * blocksperframe bytes out, if the bytes per pattern of the enter is 24. Which means that an APE file with a big blocksperframe dimension can considerably overflow this buffer.”
In a hypothetical assault situation, an attacker may ship a specifically crafted audio message by way of Google Messages to any goal machine that has RCS enabled, inflicting its media codec course of (“samsung.software program.media.c2”) to crash.
Samsung’s December 2024 patch additionally addresses one other high-severity vulnerability in SmartSwitch (CVE-2024-49413, CVSS rating: 7.1) that would enable native attackers to put in malicious functions by making the most of improper verification of cryptographic signature.