By Rebecca Flowers | Jan. 10, 2025
Cybersecurity researchers have uncovered a significant vulnerability in Samsung smartphones, revealing a zero-click exploit tied to the Monkey’s Audio (APE) decoder. The flaw, which has since been patched, posed a high risk to users by enabling attackers to execute arbitrary code without user interaction.
Tracked as CVE-2024-49415, the vulnerability carries a CVSS score of 8.1, reflecting its severity. It impacted Samsung devices running Android 12, 13, and 14. Samsung addressed the issue in its December 2024 security updates, emphasizing that the patch enhances input validation to prevent exploitation.
The Exploit: Zero-Click and High-Risk
Natalie Silvanovich, a researcher at Google Project Zero, discovered and reported the flaw, describing it as a “fun new attack surface” due to its unique characteristics. The vulnerability requires no user interaction to trigger—hence, a zero-click exploit.
The issue is tied to the libsaped.so library, which handles audio decoding for Samsung devices. Specifically, the vulnerability allows an attacker to exploit the function saped_rec, which writes to a memory buffer allocated by the C2 media service.
According to Silvanovich:
“The function saped_rec in libsaped.so writes to a buffer of size 0x120000. However, under certain conditions, it can write up to three times that size, resulting in a significant buffer overflow if the input audio has a specific configuration.”
This flaw could be exploited via Google Messages if the target device is configured for Rich Communication Services (RCS). In this default setting on Galaxy S23 and S24 models, audio messages are automatically decoded locally by the transcription service before user interaction, creating an opening for attackers.
Hypothetical Attack Scenario
An attacker could craft a malicious APE audio file with a manipulated blocksperframe value and send it via Google Messages. On devices with RCS enabled, the decoding process could trigger the overflow, potentially crashing the media codec process, samsung.software.media.c2, and opening the door to arbitrary code execution.
Additional Samsung Vulnerabilities
In addition to CVE-2024-49415, Samsung’s December security update also resolved another high-severity vulnerability. CVE-2024-49413, with a CVSS score of 7.1, was identified in the SmartSwitch application. This flaw allowed local attackers to bypass cryptographic signature verification, potentially enabling the installation of malicious apps.
What Samsung Users Should Know
Samsung has released patches for these vulnerabilities as part of its regular security updates. Users are strongly encouraged to ensure their devices are running the latest software to protect against these risks.
To mitigate potential threats:
- Update your device to the latest firmware immediately.
- Disable RCS if not in active use to limit exposure to exploits targeting rich communication features.
- Regularly monitor app permissions and device activity for unusual behavior.
The Broader Implications
This discovery highlights the evolving complexity of zero-click exploits and the need for proactive cybersecurity measures. As attackers increasingly target sophisticated systems, the importance of timely updates and robust security practices cannot be overstated.
