New Delhi: Taiwanese chipset maker MediaTek’s chips found in 37% of the world’s smartphones, including those from Xiaomi, Oppo, Realme, Vivo, among others, have a security flaw inside the processor audio from the chip. Without a patch, the vulnerabilities could have allowed a hacker to spy on an Android user and also hide malicious code in MediaTek-powered handsets. The chipmaker fixed these security issues.
According to security researchers at Check Point Research, MediaTek chips contain a special AI processing unit (APU) and digital audio signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and Audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and exciting target for security research.
The researchers wanted to know to what extent MediaTek DSP could be used as an attack vector for threat actors. For the first time, they were able to reverse engineer the MediaTek audio processor, revealing several security holes.
“MediaTek is known to be the most popular chip for mobile devices. Given its ubiquity around the world, we began to suspect that it could be used as an attack vector by would-be hackers. We embarked on research into the technology, which led to the discovery of a chain of vulnerabilities that could potentially be used to reach and attack the chip’s audio processor from an Android application. Without a patch, a hacker could potentially have exploited the vulnerabilities to eavesdrop on Android users’ conversations, ”Slava Makkaveev, security researcher at Check Point Software, said in a statement.
The investigation found that the security bugs could have been misused by the device makers themselves to create a massive eavesdropping campaign.
“While we see no specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi. In summary, we have proven a whole new attack vector that could have abused the API. Android Our message to the Android community is to update their devices with the latest security patch in order to be protected, ”Makkaveev added.
If not fixed, the security holes could have allowed a hacker to spy on an Android user and / or hide malicious code. Since the vulnerability has been fixed for all Android smartphone manufacturers, users of Vivo, Oppo, Realme, and Xiaomi phones with a MediaTek-powered handset should ensure that they download the latest update to their device to eliminate any security bug.