A vulnerability was recently announced by Google Project Zero experts, regarding Dolby Digital Plus sound technology widely used in the mobile device ecosystem, especially Android. The fear is that the attacker may send an audio clip as an RCS message and the victim does not need to open or play the audio file, the device still processes automatically and may be remotely hijacked.

1761021835174.png

The vulnerability was zero-click, putting millions of Android devices at risk as it had with previous Pegasus or Stagefright cases.

Security experts Ivan Fratric and Natalie Silvanovich of Google’s senior vulnerability research team found errors in the DDPlus Unified Decoder, which is used to process Dolby Digital Plus audio data packages (.ec3,.mp4…).

This flaw resulted from a memory overflow write error, due to integer overflow in the data length calculation step, which resulted in missing memory allocation. As a consequence, the subsequent writing of data goes beyond the limit and can overwrite important structures, including the memory segment containing the execution pointer. This way, the attacker can insert malicious code and cause the device to execute at will.

The way to exploit it is too simple, just send audio messages. The most worrying point is that on Android, texting systems such as Google Messages will automatically decode RCS audio files to serve voice-to-text conversion. This means:

  • User does not need to open audio file
  • No need to hit “play.”
  • No manual download required
  • As long as the file is sent to the device and is in the audio processing system, the analysis will trigger an error.

During the test, the researchers used a file named “dolby_android_crash.mp4” and simply fed this file into the messaging app cache to send, the target device automatically crashed or was hacked depending on the mining technique.

Global impact: Android, macOS, smart TVs, streaming devices, etc..

Although the most impact was recorded on Android, source code analyses suggest that vulnerabilities may also appear on:

  • Some versions of macOS support DDP (but may be harder to exploit due to the pre-processing mechanism)
  • Smart TVs, multimedia players, Dolby integrated streaming devices
  • Car entertainment systems or IoT devices supporting DDP
  • With Dolby’s widespread popularity, the range of influence could spread to many other platforms if manufacturers did not update early.

This breach is considered dangerous by:

  • It’s a zero-click vulnerability, users have no idea they’ve been attacked
  • Capable of remotely hijacking the device
  • Could be used to hack, steal data, wiretap, remote control.
  • It’s easy to replicate and exploit in a test environment.
  • Fake audio messages can be used in sophisticated phishing operations

To minimize risk of exploitation, users and system administrators should take the following measures:

  • Quickly update your Android and Google Messages app (Google plans to release patches soon).
  • Limit your use of RCS on unpatched devices, temporarily switching to traditional SMS/MMS if necessary.
  • Be wary of receiving unknown audio files from unknown persons.
  • The device manufacturer needs to verify and push the firmware update that has the patch built in.
  • Corporate administrators should enhance monitoring of internal audio processing applications.

The vulnerability in Dolby Digital Plus was not just a single technical failure, but a warning bell about the danger of automated multimedia processing systems. The fact that only one audio segment can also be attacked suggests that voice messages have become the new “gateways” for cybercriminals.

While waiting for the official patch, users need to remain vigilant and actively update their devices. With the proliferation of multimedia messaging services, each “sound exchange” needs to be considered with as much care as an executable file can contain malicious code.

WhiteHat