Samsung Phones Hit by Dangerous Zero-Click Flaw: Project Zero Reveals Critical RCS Exploit

Samsung Phones Hit by Dangerous Zero-Click Flaw: Project Zero Reveals Critical RCS Exploit

Samsung Smartphones Vulnerable to Audio Decoder Security Flaw

A significant security vulnerability (CVE-2024-49415) has been discovered in Samsung smartphones’ Monkey’s Audio (APE) decoder, affecting devices running Android 12, 13, and 14. The high-severity flaw, carrying a CVSS score of 8.1, could enable remote code execution.

Google Project Zero researcher Natalie Silvanovich identified the zero-click vulnerability, which specifically impacts devices with Rich Communication Services (RCS) enabled in Google Messages – a default setting on Galaxy S23 and S24 models. The flaw exists in the libsaped.so component, where the saped_rec function can trigger a buffer overflow due to improper input validation.

The vulnerability could be exploited by sending a maliciously crafted audio message through Google Messages to devices with RCS enabled, potentially causing the media codec process to crash. The attack requires no user interaction, making it particularly dangerous.

Samsung addressed this security issue in their December 2024 security update, implementing proper input validation. Additionally, the update patches another high-severity vulnerability (CVE-2024-49413) in SmartSwitch that could allow unauthorized app installations through cryptographic signature verification bypass.

Share This Article