Vulnerabilities in the artificial intelligence (AI) and audio processing components of recent MediaTek chips could have allowed eavesdropping on device owners. However, the flaw was reportedly never exploited in the wild.
MediaTek has fixed the vulnerabilities as of October, according to Check Point Research (via Android Police). While resolved, the vulnerabilities were quite serious and impacted a wide range of devices. As of Q2 2021, MediaTek powered about 43 percent of the worldwide smartphone market, making it the number one phone chip manufacturer by volume.
Although a list of impacted devices and/or chipsets wasn’t made available, Android Police reports that it sounds like the vulnerabilities affected modern MediaTek Dimensity chips and other MediaTek chips that use the ‘Tensilica’ APU platform.
In total, Check Point found four vulnerabilities that, when exploited together, could allow an app to pass commands to the audio interface. In other words, a malicious app could interact with the audio interface in ways that it shouldn’t be able to do and, in some cases, could even hide malicious code in the audio chip itself.
Researchers claim that malicious apps could have eavesdropped on customers using the vulnerability. Worse, device manufacturers could have used to create an eavesdropping campaign. However, the vulnerabilities weren’t caught being exploited in the wild.
In a statement to Android Police, MediaTek said:
“Regarding the Audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs. We have no evidence it is currently being exploited. We encourage end users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.”
If your phone has a MediaTek chip in it, you should make sure to install the latest security updates if you haven’t already.