Taiwanese chipmaker MediaTek fixed four vulnerabilities that could have allowed malicious apps to spy on Android phone users.
Three of the vulnerabilities, listed as CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663, affected MediaTek’s digital audio signal processor (DSP) firmware. This is a sensitive component that, if compromised, could allow attackers to spy on user conversations.
Check Point researchers discovered and reported the flaws to MediaTek, which revealed and fixed them in October. A fourth issue concerns the MediaTek HAL (CVE-2021-0673). It was also corrected in October but will be released in December.
A malformed interprocessor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data stream, an attack on the DSP could potentially be used to spy on the user, ”says Slava Makkaveev, researcher at Check Point.
SEE: Best phone 2021: The top 10 smartphones available
According to market research firm Counterpoint, MediaTek’s system-on-a-chip (SoC) accounted for 43% of mobile SoCs shipped in the second quarter of 2021. Its chips are found in high-end smartphones from Xiaomi, Oppo, Realme, Vivo and others. Check Point estimates that MediaTek chips are found in about a third of all smartphones.
The vulnerabilities can be accessed from the Android user space, which means that a malicious Android application installed on a device could be used for elevation of privilege against the MediaTek DSP for eavesdropping.
MediaTek has classified CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663 as a medium severity heap-based buffer against DSP faults. In all three cases, he notes that “user interaction is not necessary for operation”.
Check Point also discovered a way to use Android Hardware Abstraction Layer (HAL) to attack MediaTek hardware.
“While looking for a way to attack Android HAL, we found several dangerous audio settings implemented by MediaTek for debugging purposes. A third-party Android application can abuse these settings to attack MediaTek Aurisys HAL libraries,” says Makkaveev.
SEE: Dark web crooks now teach botnet-building courses
He adds that device manufacturers do not bother to properly validate HAL configuration files because they are not available to unprivileged users.
“But in our case, we are controlling the configuration files. The HAL configuration becomes an attack vector. A malformed configuration file could be used to crash an Aurisys library, which could lead to LPE,” writes Makkaveev.
“To alleviate the audio configuration issues described, MediaTek has decided to remove the ability to use the PARAM_FILE command via AudioManager in the final version of Android,” he adds.