Researchers at Google Project Zero on Friday disclosed a now-patched zero-click vulnerability that could allow remote attackers to execute arbitrary code on Samsung devices without any user interaction.
The vulnerability tracked as CVE-2024-49415ย (CVSS score: 8.1) is an out-of-bounds write issue in theย saped_recย function of theย libsaped.soย library, a library of C2 media service responsible for audio playback. It affected the Monkeyโs Audio (APE) decoder used in Samsungโs flagship Galaxy S23 and S24 devices running Android versions 12, 13, and 14.
โOut-of-bound write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code. The patch adds proper input validation,โย read the advisory for the flaw released in December 2024 as part of Samsungโs monthly security updates.
How the attack could be performed?
Natalie Silvanovich, a Google Project Zero researcher who identified and reported the vulnerability to Samsung on September 21, 2024, said that the attack could be carried out by sending a malicious audio file that does not require any user involvement (zero-click), making it potentially dangerous.
The flaw occurred due to Samsungโs handling of RCS (rich communication services) messages, specifically in how incoming audio messages are parsed and processed through the Google Messages app in Android. This setting is enabled by default on the Galaxy S23 and S24 models.
“The function saped_rec in libsaped.so writes to a dmabuf allocated by the C2 media service, which always appears to have size 0x120000. While the maximum blocksperframe value extracted by libsapedextractor is also limited to 0x120000, saped_rec can write up to 3 * blocksperframe bytes out, if the bytes per sample of the input is 24. This means that an APE file with a large blocksperframe size can substantially overflow this buffer,” Silvanovich wrote in her bug report.
โNote that this is a fully remote (0-click) bug on the Samsung S24 if Google Messages is configured for RCS (the default configuration on this device), as the transcription service decodes incoming audio before a user interacts with the message for transcription purposes.โ
In a hypothetical attack scenario, an attacker can exploit the vulnerability by sending a specially crafted audio message on RCS-enabled devices, causing the deviceโs media codec process (โsamsung.software.media.c2โ) to crash and open a way for further exploitation.
In addition to the above flaw, Samsung’s December 2024 update also fixed another vulnerability:ย CVE-2024-49413 (CVSS score: 7.1),ย involving the SmartSwitch app. This flaw allowed local attackers allowed local attackers to install malicious applications by exploiting insufficient cryptographic signature verification.
While Samsung has fixed the flaws, it is recommended that users update their RCS-enabled devices with the latest security updates. Additionally, it is advisable to disable RCS in Google Messages to reduce the risk of zero-click exploits further.