How a malicious Android app could covertly turn the DSP in your MediaTek-powered phone into an eavesdropping bug

Millions of devices potentially vulnerable, we're told


Check Point Research will today spill the beans on security holes it found within the audio processor firmware in millions of smartphones, which can be potentially exploited by malicious apps to secretly eavesdrop on people.

The infosec outfit believes as many as 37 per cent of smartphones globally are vulnerable. The flaws, patches for which were released last month, lie deep within handsets: in the code that controls an audio-processing unit inside system-on-chips designed by Taiwan's MediaTek.

Though its chips tend to power low-to-mid-end Android handhelds, MediaTek leads the world in terms of smartphone chip shipments; its tech is used nearly everywhere. Its system-on-chips include a digital signal processor (DSP) for handling audio, and this is a customized Tensilica Xtensa processor that has its own special opcodes and registers.

Check Point Research says it was able to obtain and reverse-engineer MediaTek's firmware driving this DSP, and found it was an adapted FreeRTOS environment with code for processing audio and exchanging messages with the Android software stack running on the phone. This real-time OS starts multiple individual tasks for handling phone calls, capturing raw audio from the microphone, and so on.

This firmware was pulled from a Xiaomi Redmi Note 9 5G smartphone running Android 11 on a Dimensity 800U SoC, which was also used for testing that the security holes could be exploited.

Essentially, according to Check Point Research, it's possible for an unprivileged, malicious Android app to chain together vulnerabilities and oversights in MediaTek and phone makers' system libraries and driver code to escalate its privileges and send messages direct to the audio DSP firmware. This low-level firmware code has little in the way of secure coding, allowing its memory to be overwritten and execution hijacked on receiving these messages.

At this point, the malicious app can now potentially program the DSP to act like a covert listening bug, drawing from raw microphone audio flows, and run hidden programs. The technical details for these flaws should appear here by the time you read this.

“MediaTek is known to be the most popular chip for mobile devices," said Slava Makkaveev, a security researcher at Check Point.

"Given its ubiquity in the world, we began to suspect that it could be used as an attack vector by potential hackers.

"Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users. Furthermore, the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdropping campaign."

Mediatek's latest Dimensity-series chips are among the components affected, we're told. Check Point Research said it can't right now share full details on how to achieve real-world exploitation "for ethical reasons."

MediaTek doesn't think anyone's abused these bugs in the wild, and has issued some fixes for its code to phone makers to then push to people's devices.

"Regarding the audio DSP vulnerability disclosed by Check Point, we worked diligently to validate the issue and make appropriate mitigations available to all OEMs," said Tiger Hsu, product security officer at MediaTek. "We have no evidence it is currently being exploited."

It's at least an interesting piece of research, though one wonders whether it might not be easier for an evil app to use a privilege-escalation flaw in the Android side of the device to eavesdrop on the user without having to delve into the custom DSP processor.

While patches are now out, you may want to check if your MediaTek-powered phone has actually been offered and installed the updates. The bugs CVE-2021-0661, CVE-2021-0662, and CVE-2021-0663 in the firmware were shared in October, and CVE-2021-0673 in MediaTek's hardware abstraction library is due to be released in December. The delay in patching the 0673 bug may be why full exploitation details are being withheld. We've asked Check Point Research for further info. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2021