Newly discovered vulnerabilities in MediaTek chips, embedded in 37% of smartphones and Internet of things (IoT) devices around the world, could have enabled attackers to eavesdrop on Android users from an unprivileged application.
The vulnerabilities specifically exist in a part of the MediaTek system-on-chip that handles audio signals, Check Point Research explained in a blog post. Modern MediaTek chips, which are built into high-end phones from Xiaomi, Oppo, Realme, and Vivo, have an artificial intelligence (AI) processing unit (APU) and audio digital signal processor (DSP) to boost media performance and reduce CPU usage.
Researchers say the goal of their analysis was to find a way to attack the audio DSP from an Android phone. The team reverse-engineered the MediaTek audio DSP firmware to find several flaws that are accessible from the Android user space, they report.
They found that an unprivileged Android application could abuse the AudioManager API by setting a crafted parameter value to attack a vulnerability in the Android Aurisys hardware abstraction layer (HAL) (CVE-2021-0673). By chaining this bug with flaws in the OEM partner's libraries, the MediaTek security flaw Check Point found could lead to local privilege escalation from an Android app. With this, an Android app may be able to send messages to the audio DSP firmware.
Three other vulnerabilities in the audio DSP itself (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) may allow an attacker to perform additional malicious actions, such as to hide and execute code within the audio DSP chip.
The flaws discovered in the DSP firmware have been patched and published in the October 2021 MediaTek Security Bulletin, Check Point reports. CVE-2021-0673 was fixed in October and will appear in the December 2021 MediaTek Security Bulletin.