Google Project Zero Researcher Uncovers Zero-Click Exploit Targeting Samsung Devices

Cybersecurity researchers have detailed a now-patched security flaw impacting Monkey’s Audio (APE) decoder on Samsung smartphones that could lead to code execution.

The high-severity vulnerability, tracked as CVE-2024-49415 (CVSS score: 8.1), affects Samsung devices running Android versions 12, 13, and 14.

“Out-of-bounds write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code,” Samsung said in an advisory for the flaw released in December 2024 as part of its monthly security updates. “The patch adds proper input validation.”

Google Project Zero researcher Natalie Silvanovich, who discovered and reported the shortcoming, described it as requiring no user interaction to trigger (i.e., zero-click) and a “fun new attack surface” under specific conditions.

Particularly, this works if Google Messages is configured for rich communication services (RCS), the default configuration on Galaxy S23 and S24 phones, as the transcription service locally decodes incoming audio before a user interacts with the message for transcription purposes.

“The function saped_rec in libsaped.so writes to a dmabuf allocated by the C2 media service, which always appears to have size 0x120000,” Silvanovich explained.

“While the maximum blocksperframe value extracted by libsapedextractor is also limited to 0x120000, saped_rec can write up to 3 * blocksperframe bytes out, if the bytes per sample of the input is 24. This means that an APE file with a large blocksperframe size can substantially overflow this buffer.”

In a hypothetical attack scenario, an attacker could send a specially crafted audio message via Google Messages to any target device that has RCS enabled, causing its media codec process (“samsung.software.media.c2”) to crash.

Samsung’s December 2024 patch also addresses another high-severity vulnerability in SmartSwitch (CVE-2024-49413, CVSS score: 7.1) that could allow local attackers to install malicious applications by taking advantage of improper verification of cryptographic signature.

Quelle

Kommentar verfassen Kommentieren abbrechen

London, GB

4:41 am, Apr. 20, 2025

6°C

L: 5° | H: 7°

Fühlt sich an wie 4°C° broken clouds

Luftfeuchtigkeit: 85 %

Druck: 1007 mb

Wind: 7 mph NNE

Windböe: 0 mph

UV-Index: 0

Niederschlag: 0 mm

Wolken: 75%

Regen Chance: 0%

Sichtbarkeit: 10 km

Sonnenaufgang: 5:53 am

Sonnenuntergang: 8:04 pm

TäglichStündlich

Tägliche VorhersageStündliche Vorhersage

Today 10:00 pm

5° | 7°°C 0 mm 0% 10 mph 90 % 1008 mb 0 mm/h

Tomorrow 10:00 pm

8° | 16°°C 0.7 mm 70% 11 mph 94 % 1013 mb 0 mm/h

Di. Apr. 22 10:00 pm

7° | 15°°C 0.2 mm 20% 8 mph 83 % 1019 mb 0 mm/h

Mi. Apr. 23 10:00 pm

9° | 14°°C 1 mm 100% 15 mph 96 % 1018 mb 0 mm/h

Do. Apr. 24 10:00 pm

9° | 12°°C 0 mm 0% 8 mph 86 % 1025 mb 0 mm/h

Today 7:00 am

6° | 7°°C 0 mm 0% 8 mph 84 % 1008 mb 0 mm/h

Today 10:00 am

11° | 13°°C 0 mm 0% 10 mph 69 % 1007 mb 0 mm/h

Today 1:00 pm

19° | 19°°C 0 mm 0% 10 mph 58 % 1007 mb 0 mm/h

Today 4:00 pm

14° | 14°°C 0 mm 0% 7 mph 73 % 1007 mb 0 mm/h

Today 7:00 pm

14° | 14°°C 0 mm 0% 6 mph 78 % 1007 mb 0 mm/h

Today 10:00 pm

9° | 9°°C 0 mm 0% 4 mph 90 % 1007 mb 0 mm/h

Tomorrow 1:00 am

8° | 8°°C 0 mm 0% 3 mph 92 % 1007 mb 0 mm/h

Tomorrow 4:00 am

8° | 8°°C 0 mm 0% 1 mph 94 % 1007 mb 0 mm/h

Name	Preis	24H (%)
Bitcoin(BTC)	€74,906.72	0.32%
Ethereum(ETH)	€1,419.31	1.04%
Fesseln(USDT)	€0.88	0.01%
XRP(XRP)	€1.83	0.01%
Solana(SOL)	€123.91	1.54%
USDC(USDC)	€0.88	-0.01%
Dogecoin(DOGE)	€0.139062	-0.60%
Shiba Inu(SHIB)	€0.000011	0.33%
Pepe(PEPE)	€0.000007	2.52%

Google Project Zero Researcher Uncovers Zero-Click Exploit Targeting Samsung Devices

Teilen:

Kommentar verfassen Kommentieren abbrechen

Verbindung zum Dienstprogramm

Nützlicher Link

Newsletter

Folgen Sie uns