Newly reported security lapses in MediaTek chips could allow hackers to listen to calls, company says it’s fixed

Advertisement
Newly reported security lapses in MediaTek chips could allow hackers to listen to calls, company says it’s fixed
MediaTek
  • Several vulnerabilities were discovered in MediaTek chipsets.
  • These vulnerabilities could allow hackers to listen to users’ conversations and hide malicious codes.
  • While some issues were resolved last month, MediaTek plans to resolve them all by December and publish it in their Security Bulletin.
Some security lapses have been identified in MediaTek’s chips, used in about 37% of Android smartphones globally, that could allow hackers to spy on Android users and hide malicious codes.

According to the report published by Check Point Research, there are several vulnerabilities in the MediaTek chip’s audio processor that are accessible from the Android userspace. If these are left unpatched, hackers would be able to spy on Android users and hear their conversations while also being able to hide malicious codes.

These vulnerabilities were addressed by MediaTek, as Tiger Hsu, its Product Security Officer, claimed that there was no evidence of exploitation via these vulnerabilities. However, he said that users are encouraged to update their devices to the latest security patch and install applications only from trusted sources such as Google Play Store.

Advertisement
Vulnerabilities Identified
MediaTek chipsets are used by many smartphone brands, including Xiaomi, OPPO, Realme, and Vivo. Check Point Research has shared the vulnerabilities with MediaTek and Xiaomi and have identified them.

According to a report in TechLapse, the issues identified as CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663 have been resolved and published by MediaTek in its security bulletin for 2021. While the vulnerability CVE-2021-0673 was fixed last month, it will be published in the December 2021 Security Bulletin.

How can the vulnerability be exploited?


Advertisement

A hacker can exploit the vulnerability when you download a malicious app and run it. The app then attacks a library using MediaTek API with permission to speak to the audio driver.

The app can then send messages to the audio driver and run the code in the audio processor firmware. This gives it access over the audio stream.
SEE ALSO:
Apple is alerting Pegasus victims about state-sponsored snooping
YouTuber MrBeast recreates Squid Game with a prize money of $456,000
Advertisement
Pokemon Go developer and Fold have announced a game that lets you earn Bitcoin
{{}}