Researchers from Google’s Project Zero team conducted a thorough examination of a new exploit that is capable of remotely executing code with Linux kernel privileges by sending SMS or RCS messages with a specially designed audio attachment. This attack does not require any action from the user, such as viewing or listening to the received message.
The exploit targets two vulnerabilities: one in the Dolby Unified Decoder library and another in the bigwave driver for the Linux kernel. Previously, exploiting vulnerabilities in codecs required the user to interact with the malicious content. However, with the integration of AI assistants in recent Android firmware releases, multimedia content is automatically decoded upon receipt, making it susceptible to 0-click attacks that do not require user interaction. Specifically, the Google Messages application, through the com.google.android.tts service, automatically transcribes audio messages for text search, exposing vulnerabilities in existing audio codecs without the user’s involvement.
The vulnerability in the Dolby Unified Decoder library is due to an integer overflow during the calculation of buffer size for processed syncframe data structures. This overflow allows an attacker to exceed the allocated buffer, leading to the overwriting of pointers and enabling the execution of malicious code with limited “mediacodec” rights through SELinux.
The exploit in the Linux kernel leverages a vulnerability in the bigwave driver, which interfaces with the /dev/bigwave character device accessed from the SELinux context “mediacodec.” By manipulating the BIGO_IOCX_PROCESS ioctl call, attackers can overwrite kernel structures and execute code with kernel-level privileges.
The vulnerability in the Dolby Unified Decoder library, responsible for decoding Dolby Digital and Dolby Digital Plus formats, is not exclusive to Android or Pixel 9 firmware. It also affects other platforms such as Samsung, MacBook Air M1, iPhone 17 Pro, and Windows systems.