Android: discovery of a flaw in the chips that would allow you to spy on the mobile phone

Check Point Software has discovered a flaw in the MediaTek chips that would allow it to spy on Android users’ mobile phones and send them malicious applications.

A flaw in the MediaTek chips would allow it to spy on Android users’ mobile phones

Check Point Research, the leading provider of cybersecurity solutions globally, has identified security holes in MediaTek’s chips. Without a patch, hackers could exploit vulnerabilities to spy on Android users’ mobile phones and hide malicious codes.

Present in 37% of smartphones around the world, the Mediatek chip is the main processor of almost all high-end Android devices. We find it in Xiaomi, Oppo, Realme, Vivo and other players devices. Vulnerabilities have been identified in the chip’s audio processor.

MediaTek chips contain a special accelerated processing unit (APU) and digital signal processor (DSP) to improve multimedia content performance and reduce CPU usage. Both APU and DSP audio have custom microprocessor architectures. This makes MediaTek’s DSP a difficult target for security searches. CPR wanted to understand to what extent the DSP could be used as an attack vector by cybercriminals. For the first time, CPR was able to reverse engineer MediaTek’s audio processor, exposing several security holes.

How would the attack happen?

To exploit the vulnerabilities, a hacker should follow these steps:

A user installs a malicious app from the Play Store and launches it.

The app uses the MediaTek API to attack a library with permission to speak to the audio driver.

The application with system privilege sends specially created messages to the audio driver to execute the code in the audio processor firmware.

The app takes over the audio stream.

CPR responsibly shared the results of its investigation with MediaTek, creating the following: CVE-2021-0661, CVE-2021-0662, CVE-2021-0663. These three vulnerabilities were then fixed and published in the MediaTek Security Bulletin in October 2021. The security issue in MediaTek’s Audio HAL (CVE-2021-0673) was fixed in October and will be published in the MediaTek Security Bulletin of December 2021. CPR claimed to have also informed Xiaomi of its findings.

Slava Makkaveev, Security Researcher at Check Point Software said:

“MediaTek is undoubtedly one of the most popular chips among mobile devices. Given its huge global reach, we suspected it could be used as an attack vector by hackers. We started researching this technology and discovered a chain of vulnerabilities that could potentially be used to reach and attack the chip’s audio processor from an Android app. Without a patch, a hacker could have exploited the vulnerabilities to listen to user conversations. “

“Furthermore, the leaks could have been misused by the device manufacturers themselves to create a massive wiretapping campaign. While there is no evidence of such misuse, we quickly shared our findings with MediaTek and Xiaomi. In short, we demonstrated the existence of a totally new attack vector that could have harmed the Android APIs. Our message to the Android community is to update devices to the latest security patch in order to stay safe. MediaTek worked diligently with us to ensure that security issues were resolved quickly and we are grateful to them for their cooperation and attention to a safer world. “