Today, Check Point Research has discovered a vulnerability in the AI and audio processing components for recent MediaTek chipsets, which could allow what is called a local privilege escalation attack from a third-party application. In short, that means that an app loaded with the right code could get access to AI and audio-related information it shouldn’t have — theoretically even eavesdropping on device owners. Thankfully, the issue was never caught being exploited in the wild, and MediaTek has fixed the related vulnerabilities as of October.

Check Point Research published a detailed whitepaper today documenting how the attack was achieved on a Xiaomi Redmi Note 9 5G. It’s a complicated process, and researchers had to reverse-engineer much of the undocumented software involved. The exploit takes advantage of a series of four vulnerabilities discovered in MediaTek’s firmware, allowing any app to pass specific commands to the audio interface — in more plain terms, giving a malicious app the ability to do things with certain parts of the audio interface that it shouldn’t be able to.

If the app has system-level permissions (as in the case of a rooted device or a pre-installed system app), it could even “hide malicious code within the audio DSP chip itself.” Because any app would be able to access the audio interface firmware, and because that firmware has access to the “audio data flow,” malicious apps could have eavesdropped on customers before the vulnerability was fixed. Researchers further claim that “the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign.”

A list of all potentially affected devices or chipsets wasn’t available. However, it sounds as if the vulnerability affected all modern MediaTek Dimensity chipsets and any other MediaTek chips that might use a so-called “Tensilica” APU platform. That’s a list that would include Helio G90 and P90 variants, among many others. (Some Huawei Kirin chipsets also use Tenscilica IP, but it isn't clear if other implementations might be impacted.) We reached out for a precise list of affected devices but had some trouble communicating with Check Point Research.

As of Q2 2021, MediaTek had some 43% of the worldwide smartphone market, making it the #1 smartphone chipset manufacturer by volume. MediaTek previously told us it expects to have around 20% of the US market by the end of the year.

Affected MediaTek device owners shouldn’t be concerned, as the issue has reportedly been fixed as of the company’s October security bulletin — we assume that means MediaTek devices running patch levels that date after October should be fine. The exploit was also never reportedly spotted in the wild, according to MediaTek product security officer Tiger Hsu:

“Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”

We also reached out to Google to see if Play Protect (a feature built into the Play Store and Play Services, present on basically all Android phones and which scans all apps on a customer’s phone for specific signs of malware) had been updated to spot these particular exploits, just in case any devices don’t get the requisite system updates, but the company did not respond to our inquiry.

You might remember an exploit that allowed root-level access on dozens of MediaTek-powered devices from companies like Nokia, Sony, Alcatel, and Blu. Folks on the XDA Forums took advantage of it for years under the name “MTK-su,” but it was patched last year.

The company’s reputation among the Android enthusiast audience has taken a hit between the benchmark cheating scandal last year and its history of circumventing the GPL. Today’s vulnerability is pretty minor in that scale of things, but the company’s response to the situation was handled well. Researchers note that MediaTek worked together with them to fix the issues in a timely manner after disclosure. When even Apple can’t get over its own ego to fix security issues, it’s good to know that MediaTek can.