Security experts from Check Point discovered multiple security flaws in smartphone chips developed by MediaTek, which could have led attackers to spy on Android Users.
In its report, Check Point identified multiple vulnerabilities inside the chip’s audio processor embedded in 37% of smartphones worldwide. Taiwan-based MediaTek is one of the largest chipset vendors that supply its products to various smartphone brands, including Xiaomi, Realme, OPPO, and Vivo.
The Vulnerabilities
The vulnerabilities in MediaTek’s audio Digital Signal Processor (DSP) include CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, and audio HAL CVE-2021-0673. If exploited, the vulnerabilities could allow a remote hacker to spy or eavesdrop on the targeted user from an unprivileged Android app.
MediaTek said that it had fixed all vulnerabilities after the vulnerability disclosure.
“A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user. By chaining with vulnerabilities in Original equipment manufacturer (OEM) partner’s libraries, the MediaTek security issues we found could lead to local privilege escalation from an Android application,” the researchers said.
Attack Methodology
- A user installs a malicious app from the Play Store and launches it.
- The app uses the MediaTek API to attack a library with permissions to talk with the audio driver.
- The app with system privilege sends crafted messages to the audio driver to execute code in the firmware of the audio processor.
- The app steals the audio flow.
While there is no evidence that the vulnerabilities were being exploited before they were patched, MediaTek urged users to immediately update their smartphones and IoT devices to prevent any risks.
Commenting on the vulnerability disclosure, Slava Makkaveev, Security Researcher at Check Point Software, said, “We embarked on research into the technology, which led to the discovery of a chain of vulnerabilities that potentially could be used to reach and attack the audio processor of the chip from an Android application. Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users. Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign. Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi. In summary, we proved out a completely new attack vector that could have abused the Android API.”
