Security researchers have identified a vulnerability affecting Monkey’s Audio Encoder in Samsung smartphones running Android. The flaw could let a remote attacker execute arbitrary code by sending a voice message. The issue is tracked as CVE-2024-49415 and has a high CVSS score of 8.1, underscoring the severity of the risk. The affected devices span Android versions 12, 13, and 14, meaning a wide range of recent Samsung smartphones could be exposed to exploitation. The vulnerability was disclosed by security researchers through industry channels, and it does not require user interaction beyond receiving the voice message to become active in some scenarios. In practical terms, messaging apps that handle voice notes and transcripts are potential vectors, especially where audio data is processed locally on the device.
Samsung’s analysis points to out of bounds writes in the libsaped.so library as the root cause. When the malformed payload is processed, it can allow attacker supplied code to run within the app’s process. Samsung fixed the flaw as part of the standard monthly security updates, strengthening input validation for incoming audio data and preventing malformed payloads from triggering execution. The patch is designed to ensure the media processing pipeline bounds checks and sanitizes data before decoding speech or transcription payloads, blocking exploitation paths. Users are advised to install the official update promptly to minimize exposure. This effort aligns with Samsung’s ongoing security program to coordinate fixes with the wider Android ecosystem and keep devices protected against similar memory safety issues.
Google Project Zero researcher Natalie Silvanovich demonstrated that the vulnerability can be triggered without any user interaction. The exploit can occur when Google Messages uses the RCS transcription feature, a default configuration on many Galaxy devices including the S23 and S24 series. In that setup, the voice message is decoded locally by the transcription service before the user notices anything unusual, creating a pathway for the vulnerability to execute silently. This means an attacker could craft a message that activates the problem simply by sending a voice note via Messages, increasing the chances of a successful compromise.
Industry analysis explains that an attacker could send a specially crafted voice message via Google Messages, causing the media encoding component to fail in a way that permits code execution. The description highlights the fragility of the media encoding pipeline when processing untrusted audio data, especially under default RCS enabled messaging. The consequence extends beyond a single device; any Samsung smartphone running the affected Android versions that uses the APE encoding path for audio data could be at risk. Security researchers emphasize applying the latest firmware and app updates and monitoring advisories from Samsung and Google to stay protected.
Samsung also addressed a separate SmartSwitch vulnerability, CVE-2024-49413 with a CVSS score of 7.1. This local flaw could allow a attacker to install malicious applications due to improper cryptographic signature verification. The fix strengthens the verification process and reduces the risk of unauthorized installs through firmware updates or side-loading. Users are urged to install the latest security updates on their devices to mitigate both issues and to enable automatic updates if available so patches are installed promptly.