According to researchers, a flaw in a chip made by the Taiwanese tech giant MediaTek has left one-third of all smartphones and IoT devices worldwide vulnerable to remote monitoring of phone conversations and surveillance through the device microphone.
As per a report from Israeli cybersecurity firm Check Point Research, the vulnerabilities were found in the section of MediaTek processors that handles audio transmissions. To carry out a remote attack, a hacker must either install malware on the target Android phone or smart device or discover a means to get access to the MediaTek audio firmware.
By attacking the methods in which the audio processor communicated with Android, the malware could write malicious code to device memory after it was installed. It would have been feasible to steal the device’s audio flow, allowing the hacker to eavesdrop on an Android user or install further malicious malware. If the flaws are unpatched, a hacker may use them to listen in on Android users’ chats.
According to Check Point’s experts, MediaTek patched the three vulnerabilities in October, but consumers should check with their phone maker if they haven’t gotten an update. Android phone heavyweights like Xiaomi and Oppo use MediaTek CPUs in their handsets.
At the time of publishing, MediaTek had not replied to requests for comment. In a Check Point statement, Tiger Hsu, MediaTek’s product security officer, said that they worked hard to confirm the problem and provide suitable mitigations to all [original device makers]. They have no proof that it is currently being used. They advise consumers to keep their devices up to date when new patches become available and to only install apps from reputable sources like the Google Play Store.
Check Point said that it had informed Google, Xiaomi, and MediaTek about the flaws, which resulted in the updates. According to the researchers, most users are safe since Android phones download security updates automatically or ask users to do so.
Remote control of Android smartphones is possible because of flaws in Android phones, albeit chip-level vulnerabilities are rare. As per Check Point, it is the first time anybody has looked at the MediaTek audio software, and it’s an altogether new attack vector for gaining privileges from an Android app.