New Delhi: Cyber security researchers said on Thursday that security flaws found in a smartphone chip developed by MediaTek, one of the largest chipset vendors who supplies to Xiaomi, Oppo, Realme, Vivo and more, could have led hackers to eavesdrop on Android Users.
MediaTek said that it has fixed all vulnerabilities and Android users are safe.
Check Point Research (CPR) said in a report that it identified security flaws in the MediaTek processor chip found in 37 per cent of the world’s smartphones.
The security flaws were found inside the chip’s audio processor.
“Left unpatched, a hacker could have exploited the vulnerabilities to eavesdrop on Android users and/or hide malicious code,” the report said.
Tiger Hsu, Product Security Officer at MediaTek, said that the company has no evidence that hackers have exploited the vulnerability.
“Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs (original equipment manufacturers). We have no evidence it is currently being exploited,” Hsu said in a statement.
“We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store,” the company executive added.
The researchers said that for the first time, they were able to reverse engineer the MediaTek audio processor, revealing several security flaws.
MediaTek chips contain a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage.
Both the APU and the audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and challenging target for security research.
CPR said it disclosed its findings to MediaTek, and the company fixed and published three vulnerabilities in the October 2021 security bulletin.
The security issue in the MediaTek audio HAL (CVE-2021-0673) was fixed in October and will be published in the December 2021 security bulletin.
CPR said it also informed Xiaomi of its findings.
“Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi. We proved out a completely new attack vector that could have abused the Android API,” said Slava Makkaveev, a security researcher at Check Point Software.
“Our message to the Android community is to update their devices to the latest security patch in order to be protected,” Makkaveev added.