Taiwanese chip maker MediaTek has addressed four vulnerabilities that could have allowed malicious apps to eavesdrop on Android phone users.
Three of the vulnerabilities, traced as CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663, affected MediaTek’s digital signal processor (DSP) firmware. It is a sensitive component that, if compromised, can allow attackers to spy on user conversations.
Researchers at Check Point found and reported the bugs to MediaTek, which revealed and corrected them in October. A fourth issue affects the MediaTek HAL (CVE-2021-0673). It was also corrected in October, but will be published in December.
A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data stream, an attack on the DSP could potentially be used to eavesdrop on the user , “explains Check Point researcher Slava Makkaveev.
SEE: Best phone 2021: The 10 best available smartphones
According to market research firm Counterpoint, MediaTek’s chip system (SoCs) accounted for 43% of the mobile SoCs shipped in Q2 2021. Its chips are found in advanced smartphones from Xiaomi, Oppo, Realme, Vivo and others. Check Point estimates that MediaTek chips are present in about one-third of all smartphones.
The vulnerabilities are available from the Android user interface, which means that a malicious Android app installed on a device can be used for privilege escalation against MediaTek DSP for eavesdropping.
MediaTek rated CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663 as heap-based buffer of medium severity over DSP errors. In all three cases, it notes that “user interaction is not necessary for exploitation.”
Check Point also discovered a way to use Android Hardware Abstraction Layer (HAL) as a way to attack MediaTek hardware.
“While searching for a way to attack Android HAL, we found several dangerous audio settings implemented by MediaTek for debugging purposes. A third-party Android application may abuse these settings to attack MediaTek Aurisys HAL libraries,” explains Makkaveev.
SEE: Dark web villains are now teaching courses on how to build botnets
He adds that device manufacturers do not bother to validate HAL configuration files properly because they are not available to unprivileged users.
“But in our case, we have control over the configuration files. The HAL configuration becomes an attack vector. An incorrectly designed configuration file can be used to crash an Aurisys library, which can lead to LPE,” writes Makkaveev.
“To alleviate the described audio configuration issues, MediaTek decided to remove the possibility of using the PARAM_FILE command via AudioManager in the Android release,” he adds.