Google Project Zero researcher Natalie Silvanovich discovered a vulnerability in which, as per the available details, an attack requires no user interaction to trigger (i.e., zero-click) and is a “fun new attack surface” under specific conditions. The vulnerability tracked as CVE-2024-49415 (CVSS score: 8.1) affects Samsung devices running Android versions 12, 13, and 14.
The flaw now has a patch available, and the security flaw was impacting Monkey’s Audio (APE) decoder on Samsung smartphones, which could lead to code execution. The exploit appears to leverage the local audio decoding functionality of the Google Messages application, specifically when configured for Rich Communication Services (RCS). This default configuration on Galaxy S23 and S24 devices allows for the decoding of incoming audio messages prior to user interaction, which could be exploited for unauthorized access.
The researcher Natalie explains that the function “saped_rec” in “libsaped.so” writes to a “dmabuf” allocated by the C2 media service, which always appears to have a size of 0x120000. Interestingly, the maximum blocksperframe value extracted by libsapedextractor is also limited to 0x120000, and “saped_rec” can write up to 3 * blocksperframe bytes out, if the bytes per sample of the input is 24. This implies that an APE file with a large blocksperframe size can potentially overflow this buffer. Taking advantage of the buffer overflow weakness, a malicious actor could gain remote code execution on the device and also transmit a crafted audio message via Google Messages the RCS enabled device, crashing its media codec process (“samsung.software.media.c2”).
The flaw becomes more of a concern as it does not require any user intervention for execution, users are advised to update their installations with the released patch to safeguard themselves against the zero-click exploit.
