Chip storage has already plagued the tech hub and a new chip protection flaw has now become a growing concern among smartphone users. Zero-day vulnerabilities allow hackers to exploit the system, gaining ‘admin privileges’. Security researchers have found a flaw in the MediaTek chip that powers one-third of the world’s smartphones.
According to Checkpoint Research, a bug was found in a MediaTek audio processing chip that was applied to many Android phones from major vendors, including Xiaomi, Oppo, Realme and Vivo. In a blog post, CPR explains how to hack through three different vulnerabilities – CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663.
How a bug in the MediaTek chip could help hackers run an ‘eDrop campaign’
CPR reverse-engineer has discovered MediaTek’s audio chip and an opening that could allow a malicious app to install code. A detailed report of the process outlines what hackers need to do to take advantage of this vulnerability. When installing and launching a malicious app from the Google Play Store, it will allow hackers to take advantage of the vulnerabilities of MediaTek SoC-powered smartphones. After installation, the app will use the MediaTek API to ‘intercept audio passing through the chip and either record it locally or upload it to the attacker’s server.’
CPR has already released its results to MediaTek and Shaomi in October, and identified vulnerabilities have already been patched by the Taiwanese chip maker. If the error had been left without a patch, a hacker could have used it on chips to get ears from users and hide malicious code.
“Device security is an important element and a priority for all MediaTek platforms. Regarding Audio DSP vulnerabilities revealed by Checkpoint, we have worked diligently to verify the problem and provide appropriate mitigation for all OEMs. We have no evidence that it is currently being exploited. We encourage end-users to update their devices as patches become available and only to install applications from trusted locations, such as the Google Play Store, “said Tiger Hsu, MediaTek’s product safety officer.
Slava Makaviev, a security researcher at Checkpoint Software, quoted Digital Trends in a press release as saying that with MediaTek’s global publicity, they suspected a potential threat and “started research into technology,” which opened a chain of vulnerabilities that could be used as an attack. Vector to create an ‘Eversdrop Campaign’. But fortunately, the bugs were caught to make it more useful before they reached the hackers.
Post MediaTek chip bug that can be heard in the ears of Android users has been fixed. BGR first appeared in India.