Cybersecurity researchers have detailed the patched security flaw that affects Audio monkey (APE) decoder on Samsung smartphones, which can lead to code execution.
A high severity vulnerability tracked as CVE-2024-49415 (CVSS score: 8.1), affects Samsung devices running Android versions 12, 13, and 14.
“Out-of-bounds writing in libsaped.so before SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code,” Samsung said in a shortfall advisory published in December 2024. as part of monthly security updates. “Patch adds proper input validation.”
Google Project Zero researcher Natalie Silvanovitch, who discovered and reported the flaw, described it as requiring no user interaction to trigger (ie, zero clicks) and a “fun new attack surface” under certain conditions.
In particular, this works when Google Messages is configured for advanced communication services (RCS), the default configuration on Galaxy S23 and S24 phones, as the transcription service locally decodes the incoming audio before the user interacts with the message for transcription purposes.
“The saped_rec function in libsaped.so writes to the dmabuf allocated by the C2 media service, which is always 0x120000 in size,” Silvanovitch said. explained.
“Although the maximum blocksperframe value extracted by libsapedextractor is also limited to 0x120000, saped_rec can write out up to 3 * blocksperframe bytes when the bytes per sample of the input data is 24. This means that an APE file with a large blocksperframe size can significantly overflow this buffer.”
In a hypothetical attack scenario, an attacker could send a specially crafted audio message via Google Messages to any RCS-enabled target device, causing the media codec (“samsung.software.media.c2”) process to crash.
Samsung December 2024 Patch also addresses another high-severity vulnerability in SmartSwitch (CVE-2024-49413CVSS score: 7.1), which could allow local attackers to install malicious applications by taking advantage of incorrect cryptographic signature verification.
