Critical Vulnerability on Samsung Devices Could Enable Remote Exploitation

- Advertisement -
- Advertisement -

A significant vulnerability has been uncovered in Samsung smartphones, linked to the Monkey’s Audio (APE) decoder. The flaw, now resolved, was identified as CVE-2024-49415, carrying a CVSS score of 8.1, and could allow attackers to remotely execute code on devices running Android versions 12, 13, and 14.

Samsung addressed the issue in its December 2024 security update with a fix that enhances input validation to block potential exploits.

image 1

Zero-Interaction Exploit in Audio Transcription

This security gap was reported by Google Project Zero researcher Natalie Silvanovich, who emphasized that it is a zero-click vulnerability, meaning the attack can be carried out without any action by the device owner. The flaw is particularly relevant to users of Google Messages configured with Rich Communication Services (RCS), a default setting on Samsung Galaxy S23 and S24 devices.

- Advertisement -

In these devices, the transcription service automatically decodes incoming audio messages locally, even before the user interacts with them.

Flaw Mechanism Breakdown

The vulnerability is attributed to an out-of-bounds write in the saped_rec function of the libsaped.so library. Silvanovich noted that the function interacts with a dmabuf buffer from the C2 media service, which has a fixed size of 0x120000 bytes.

However, due to how APE files are processed, the function can write up to three times the allocated size when handling audio with 24-bit samples, enabling the buffer to overflow. A malicious actor could craft an audio file with an unusually large blocksperframe value, resulting in the media codec service (samsung.software.media.c2) crashing and opening a pathway for further exploitation.

Preventive Measures and Recommendations

To mitigate these threats, users should ensure their devices are updated with the latest security patches. Disabling RCS in Google Messages may further reduce the risk of zero-click exploits. It is also advisable to keep essential system apps updated to strengthen device defenses.

This vulnerability highlights the critical need for robust validation mechanisms in audio processing services and demonstrates the risks posed by zero-interaction attack vectors in modern messaging platforms.

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.

- Advertisement -
Exit mobile version