Google Project Zero Researcher Uncovers Zero-Click Exploit Targeting Samsung Devices
Jan 10, 2025
Cybersecurity / Android
Cybersecurity researchers have detailed a now-patched security flaw impacting Monkey's Audio (APE) decoder on Samsung smartphones that could lead to code execution. The high-severity vulnerability, tracked as CVE-2024-49415 (CVSS score: 8.1), affects Samsung devices running Android versions 12, 13, and 14. "Out-of-bounds write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code," Samsung said in an advisory for the flaw released in December 2024 as part of its monthly security updates. "The patch adds proper input validation." Google Project Zero researcher Natalie Silvanovich, who discovered and reported the shortcoming, described it as requiring no user interaction to trigger (i.e., zero-click) and a "fun new attack surface" under specific conditions. Particularly, this works if Google Messages is configured for rich communication services ( RCS ), the default configuration on Galaxy S23 and S24 ph...