A serious vulnerability has been discovered in the Monkey’s Audio (APE) codec used on Samsung smartphones, which allows for the execution of arbitrary code. The vulnerability, identified as CVE-2024-49415 and assessed with a CVSS of 8.1, affects devices running Android versions 12, 13, and 14.
In the December Security Bulletin from Samsung, it was noted by Google Project Zero researcher Natalie Silvanovich, who discovered the vulnerability, that the attack could take place without any user interaction (Zero-Click), making it particularly dangerous. The vulnerability was triggered when utilizing the auto -shifting feature for incoming voice messages in Google Messages with RCS services enabled. This feature is enabled by default on the Galaxy S23 and S24.
The vulnerability stemmed from the “SAPED_REC” function, which recorded data to a buffer that could overflow if a specially crafted audio file had a large “BlocksPERFRAME”. This overflow caused the media codec to malfunction.
A hypothetical attack scenario involves sending a malicious audio file via Google Messages, leading to a process (“samsung.software.media.c2”) on RCS-enabled devices being compromised.
In addition to this, the December update from Samsung also addressed another vulnerability – CVE-2024-49413, related to the SmartSwitch application. This vulnerability, with a CVSS assessment of 7.1, allowed local attackers to install malicious applications due to an incorrect check of the cryptographic signature.