- Check Point Research has discovered vulnerabilities in MediaTek’s chips, which are embedded in 37% of all smartphones worldwide.
- The vulnerabilities were discovered in the audio processor accessible from the Android user space.
- If exploited, hackers can potentially spy on the user from an unprivileged Android app.
As smartphone chipmakers continue to innovate more security features, there are still security holes that allow hackers to eavesdrop on users of Android devices. Such breaches lead to privacy concerns for users of mobile devices.
Several months earlier, Apple devices were facing a similar problem. Unlike the Android hacker problem, Apple devices would have been accessed through the Pegasus spyware. Reports have shown that Pegasus spyware has been used to spy on 50,000 mobile devices from prominent people around the world.
To infect a phone, the spyware creates a fake WhatsApp account to make video calls. The moment a user’s phone rings, malicious code is transmitted and spyware is installed on the device. While Apple was able to fix the issue after several weeks, the spyware had already done enough damage.
For Android devices, Check Point Research has found vulnerabilities in MediaTek’s chips, which are embedded in 37% of all smartphones worldwide. The vulnerabilities were discovered in the audio processor accessible from the Android user space. If exploited, hackers can potentially spy on the user from an unprivileged Android app.
A global smartphone chip, MediaTek is integrated with a variety of smartphones and IoT devices across the world, including Xiaomi, Oppo, Realme, Vivo, and more. New models include the latest Dimensity series, which contains a special AI processing unit (APU) and digital audio signal processor (DSP) to improve media performance and reduce CPU usage.
Both the APU and the audio DSP have a custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chipmakers to extend the Xtensa core instruction set with custom instructions to optimize particular algorithms and prevent their copying. This fact makes MediaTek DSP a unique and stimulating target for security research.
Check Point Researched reverse engineered the firmware of the MediaTek Audio DSP and discovered several vulnerabilities accessible from the Android user space. Their research goal was to find a way to attack the audio DSP from an Android phone.
A malformed interprocessor message could potentially be used by an attacker to execute and hide malicious code inside DSP firmware. Since the DSP firmware has access to the audio data stream, a DSP attack could potentially be used to spy on the user.
How do Android hackers spy?
To exploit security vulnerabilities, Check Point Research pointed out that a threat actor’s order of operations, in theory, would first be for a user to install a malicious app from the Play Store and launch it. The application uses the MediaTek API to attack a library authorized to communicate with the audio driver. Then, the system privileged application sends specially crafted messages to the audio driver to execute code in the audio processor firmware. And after that, the app steals the audio stream.
MediaTek has been made aware of the issue and already addressed it in October. Check Point Research has also informed Xiaomi of its findings.
“MediaTek is known to be the most popular chip for mobile devices. Given its ubiquity around the world, we began to suspect that it could be used as an attack vector by would-be hackers. We embarked on research into the technology, which led to the discovery of a chain of vulnerabilities that could potentially be used to reach and attack the chip’s audio processor from an Android application. Without a patch, a hacker could potentially have exploited the vulnerabilities to eavesdrop on Android users’ conversations, ”said Slava Makkaveev, security researcher at Check Point Software.
Makkaveev also explained that the security holes could have been misused by the device makers themselves to create a massive listening campaign. Although they saw no specific evidence of such abuse, Check Point Research quickly disclosed the results to MediaTek and Xiaomi.
“We have proven a whole new attack vector that could have abused the Android API. Our message to the Android community is to update their devices with the latest security patch to protect. MediaTek has worked diligently with us to ensure that these security issues are resolved quickly, and we are grateful for their cooperation and spirit for a safer world, ”he added.
Meanwhile, Tiger Hsu, Head of Product Security at MediaTek, stressed that device security is a critical component and a priority of all MediaTek platforms. Regarding the Audio DSP vulnerability disclosed by Check Point, he said that MediaTek had worked diligently to validate the issue and make the appropriate mitigation measures available to all OEMs.
“We have no evidence that it is currently being exploited. We encourage end users to update their devices as patches become available and to only install apps from trusted locations such as the Google Play Store. We value the collaboration with the research team at Check Point to make the MediaTek product ecosystem more secure.
While hackers can exploit Android devices, the reality is that all devices can have vulnerabilities. And in most cases, cybercriminals can discover and exploit them much faster than any security software. Cybersecurity research teams like those at Check Point and other vendors also continue to find more vulnerabilities in all types of devices.
For users, they should make sure to check the types of apps they have on their devices and also remove any apps that they feel are no longer relevant to them. These simple steps can often be the best way to keep devices secure and avoid being hacked.