Cybersecurity researchers discovered and patched a vulnerability in Monkey’s Audio Encoder (APE) on Samsung smartphones that allowed attackers to remotely execute arbitrary code by sending voice messages. The vulnerability, identified as CVE-2024-49415 (CVSS score: 8.1), affected Samsung devices running Android 12, 13 and 14. reports Publication Hacker News (THN).
According to Samsung, the vulnerability allowed out-of-bounds writes to the libsaped.so library, which led to malicious code execution. The fix, released in December 2024 as part of monthly security updates, was intended to add proper validation to incoming data.
Google Project Zero researcher Natalie Silvanovich, who discovered the vulnerability, noted that it can be activated without any user interaction. This exploit worked when using the Google Messages messaging service with RCS support enabled, which is the default setting on Galaxy S23 and S24 phones. That is, the transcription service was locally decoding incoming voice messages even before the user interacted, which posed a threat.
“An attacker could send a specially crafted voice message via Google Messages, causing the media encoding process (“samsung.software.media.c2”) to fail,” THN writes.
In December 2024, Samsung also patched another serious vulnerability in SmartSwitch (CVE-2024-49413, CVSS score: 7.1); This vulnerability allowed local attackers to install malicious applications due to improper cryptographic signature verification. Samsung users are strongly recommended to install the latest security updates.
scammers before stolen Russians have millions of rubles at the pickup point under the pretext of employment.
What are you thinking?
Source: Gazeta

Jackson Ruhl is a tech and sci-fi expert, who writes for “Social Bites”. He brings his readers the latest news and developments from the world of technology and science fiction.