When "Open" Standards aren't really open

We have a customer in India that was attacked via this vulnerability and it caused significant damage including affecting over 100 devices. In retrospect, the fact that their IOS devices were not affected was a major clue that was overlooked by all (including us) trying to help them.

The core issue is what responsibility a company has when they make use of an “open” standard, but also make proprietary extensions or enhancements to them.

In this case it’s ALAC which is what Apple uses for their “lossless” audio codec.

There is ample evidence that Apple knew about these flaws and fixed them with their own products several years ago, but they never bothered to contribute any of those fixes back to the wider community, which to my mind should be a part of any company using an open standard tech.

Flaw in Audio Format Exposed Millions of Android Phones to Remote Hacking | PCMag

BTW: This sadly is not a new thing. Something similar happened a few years ago where the company behind PKZIP found and fixed multiple vulnerabilities in the ZIP format, and fixed them, but only in their commercial products


How did the attacker get the ALAC audio file onto the devices? Did it also require some sort of security permission on Android, or was it straight to root access.

The method was actually pretty simple. The company’s top management frequently sent out short audio messages via email to their employees, usually just motivational or marketing stuff.

An outsider managed to spoof an email address that looked almost identical to the CEO’s. When the users actually played the file, various malware, mostly tracking or camera related, got installed. No root or special access needed.

It went undetected for multiple months, until their CIO noticed that the employee mobile data use spiked significantly for no obvious reason.

PS: The article is wrong or possibly out of date about it not being exploited in the wild as once they did figure it out, they reported it to their security software vendor (about 6 weeks ago).

PPS: all of the affected phones required a factory reset to remove the malware

1 Like

Address spoofing has gotten way more sophisticated of late. Before, you could at least mouse over a link and see that it is a completely bogus site.

But now, they are doing tricks like combining the letters ‘r’ and ‘n’ to make it look like an ‘m’, and it becomes nearly impossible to tell whether a link is fake.

1 Like

Holy ****! (<- fill in your favorite four-letter expletive)

BTW: If it seems like the number of attacks and exploits are getting both ever more numerous, but also more serious, you aren’t wrong. One of our consultants works with Mandiant.

Hackers are exploiting 0-days more than ever | Ars Technica