A critical vulnerability has been discovered in the Monkey’s Audio (APE) codec, utilized on Samsung smartphones, allowing arbitrary code execution. Identified as CVE-2024-49415 with a CVSS score of 8.1, the flaw affects devices running Android versions 12, 13, and 14.
According to Samsung’s December security bulletin, the issue resides in the libsaped.so library and enables remote attackers to execute code without requiring user interaction. The vulnerability was mitigated through the implementation of input validation.
Natalie Silvanovich, a researcher at Google Project Zero who identified the flaw, highlighted its zero-click nature, making it particularly dangerous. The vulnerability could be triggered via the auto-decryption function for incoming voice messages in Google Messages, provided RCS services were enabled. This configuration is the default on Galaxy S23 and S24 devices.
The core issue lay in the saped_rec function, which wrote data into a buffer whose size could be exceeded if a specially crafted audio file contained an oversized blocksperframe. This led to buffer overflow and crashes in the media codec process.
A potential attack scenario involved sending a malicious audio file through Google Messages, causing the media process (samsung.software.media.c2) to crash on devices with RCS enabled.
