New Delhi: Security flaws have been found in a smartphone chip developed by MediaTek, one of the largest chipset vendors supplying Xiaomi, OPPO, Realme, Vivo and others, that could allow hackers to snoop on Android users, cyber security researchers said. Huh.
MediaTek said it has fixed all the vulnerabilities and Android users are safe.
Check Point Research (CPR) said in a report that it has identified security flaws in the MediaTek processor chip found in 37 percent of the world’s smartphones.
Security flaws were found inside the chip’s audio processor.
“Without patching, a hacker could have exploited the vulnerabilities to monitor Android users and/or hide malicious code,” the report said.
MediaTek product security officer Tiger Sue said the company had no evidence that hackers exploited the vulnerability.
“With respect to the Audio DSP vulnerability disclosed by Check Point, we have worked diligently to validate this issue and make available mitigations suitable for all OEMs (Original Equipment Manufacturers). We have no evidence that this is currently being exploited,” Sue said in a statement.
“We encourage end users to update their devices as patches become available and only install apps from trusted locations such as the Google Play Store,” the company executive said.
For the first time, they were able to reverse engineer a MediaTek audio processor, revealing several security flaws, the researchers said.
MediaTek chips include a specialized AI Processing Unit (APU) and Audio Digital Signal Processor (DSP) to improve media performance and reduce CPU usage.
Both the APU and the Audio DSP have custom microprocessor architectures, making the MediaTek DSP a unique and challenging target for security research.
CPR said it disclosed its findings to MediaTek, and the company fixed and published three vulnerabilities in its October 2021 security bulletin.
The security issue at MediaTek Audio HAL (CVE-2021-0673) was fixed in October and will be published in the December 2021 security bulletin.
CPR said it also informed Xiaomi of its findings.
“While we do not see any specific evidence of such abuse, we were quick to disclose our findings to MediaTek and Xiaomi. We found an entirely new attack vector that could have abused the Android API. ,” said Slava Makaviev, a security researcher at Check Point Software.
“Our message to the Android community is to update your devices to the latest security patches for safety’s sake,” Makaviev said.