A vulnerability in the MediaTek chips allowed spying on a malicious application on Android

A vulnerability in the MediaTek chips allowed spying on a malicious application on Android

SoC stands for System on a Chip or system within a chip, a way of differentiating that it is not only the processor, but also many other modules such as the GPU, NPU, the modem or the DSP audio processor. The latter, the DSP, is the protagonist of a vulnerability in MediaTek chips discovered by Check Point analysts.

On paper, this vulnerability – or vulnerabilities – technically allows an attacker to escalate privileges with a malicious application and communicate directly with the DSP firmware. In practice, this could result in an attacker spying on the mobile. Patches for these vulnerabilities are ready.

Forcing MediaTek DSP

Check Point Research has published a report detailing the process they have carried out to attack the DSP audio processor of the MediaTek Dimensity 800U of a rooted Xiaomi Redmi Note 9 5G. The result is a potential escalation of privileges for a malicious application and even the possibility of spy on the mobile.

According to this research, an application without special privileges can replace the parameter file of the audio libraries used by the system, thus achieving a local privilege escalation for that application. This vulnerability has been registered as CVE-2021-0673 and will be included in the MediaTek security bulletin for December.

Part of the problem is that an app can load its own file for the parameters of the audio library

Privilege escalation poses greater risks, as that application could exploit other vulnerabilities in the DSP firmware to communicate run malicious code directly on the DSP chip. One of the possibilities would be for the mobile to listen, spying on the user. These vulnerabilities have been registered as CVE-2021-0661, CVE-2021-0662 and CVE-2021-0663 and have been included in the MediaTek security bulletin for October.

Read:  Google plans to add free TV channels to its Android TV, according to Protocol

There is no evidence that the vulnerabilities are being exploited and the patches are already ready and pending to reach users

The good news is that no one is known to be exploiting these vulnerabilities. The not so good news is that after MediaTek releases their patches, it is the manufacturers who must distribute it to users as security patches, something that sometimes may take time or not happen at all, in low-end terminals.

Via | Android Police