Warning: Hackers could be eavesdropping on Android users

Vulnerabilities in smartphone chips are enabling hackers to eavesdrop on on users using Android devices.
29 November 2021
  • Check Point Research discovered vulnerabilities in MediaTek’s chips, embedded in 37% of all smartphones globally.
  • The vulnerabilities were discovered in the audio processor that is accessible from the Android userspace.
  • If exploited, hackers can potentially eavesdrop on the user from an unprivileged Android app.

While smartphone chipmakers continue to innovate more security features, there are still security flaws that are allowing hackers to eavesdrop on Android device users. Such flaws are leading to privacy concerns among mobile device users.

Several months earlier, Apple devices faced a similar issue. Unlike the Android hackers’ problem, Apple devices were reportedly being accessed via the Pegasus spyware. Reports showed that the Pegasus Spyware was allegedly used to spy on 50,000 mobile devices of prominent individuals around the world.

To infect a phone, the spyware creates a fake WhatsApp account to make video calls. The moment a user’s phone rings, a malicious code is transmitted, and the spyware is installed on the device. While Apple was able to fix the problem after several weeks, the spyware had already done enough damage.

For Android devices, Check Point Research discovered vulnerabilities in MediaTek’s chips, embedded in 37% of all smartphones globally. The vulnerabilities were discovered in the audio processor that is accessible from the Android userspace. If exploited, hackers can potentially eavesdrop on the user from an unprivileged Android app.

A global smartphone chip, MediaTek is embedded in a variety of smartphones and IoT devices around the world including Xiaomi, Oppo, Realme, Vivo, and more. The newer models include the latest Dimensity series, which contains a special AI processing unit (APU) and audio Digital signal processor (DSP) to improve media performance and reduce CPU usage.

Both the APU and the audio DSP have custom Tensilica Xtensa microprocessor architecture. The Tensilica processor platform allows chip manufacturers to extend the base Xtensa instruction set with custom instructions to optimize particular algorithms and prevent them from being copied. This fact makes MediaTek DSP a unique and challenging target for security research.

Check Point Researched reverse-engineered the MediaTek audio DSP firmware and discovered several vulnerabilities that are accessible from the Android userspace. Their research goal was to find a way to attack the audio DSP from an Android phone.

A malformed inter-processor message could potentially be used by an attacker to execute and hide malicious code inside the DSP firmware. Since the DSP firmware has access to the audio data flow, an attack on the DSP could potentially be used to eavesdrop on the user.

android hackers

(Source – Media Tek)

How do Android hackers eavesdrop?

To exploit the security vulnerabilities, Check Point Research pointed out that a threat actor’s order of operations, in theory, would be to first have a user install a malicious app from the Play Store and launches it. The app uses the MediaTek API to attack a library that has permission to talk with the audio driver. Next, the app with system privilege sends crafted messages to the audio driver to execute code in the firmware of the audio processor. And after that, the app steals the audio flow.

MediaTek has been made aware of the issue and has already fixed it in October. Check Point Research also informed Xiaomi of its findings.

“MediaTek is known to be the most popular chip for mobile devices. Given its ubiquity in the world, we began to suspect that it could be used as an attack vector by potential hackers. We embarked on research into the technology, which led to the discovery of a chain of vulnerabilities that potentially could be used to reach and attack the audio processor of the chip from an Android application. Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users,” said Slava Makkaveev, Security Researcher at Check Point Software.

Makkaveev also explained that the security flaws could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign. Although they did not see any specific evidence of such misuse, Check Point Research moved quickly to disclose the findings to MediaTek and Xiaomi.

“We proved out a completely new attack vector that could have abused the Android API. Our message to the Android community is to update their devices to the latest security patch to be protected. MediaTek worked diligently with us to ensure these security issues were fixed promptly, and we are grateful for their cooperation and spirit for a more secure world,” he added.

Meanwhile, Tiger Hsu, Product Security Officer at MediaTek pointed out that device security is a critical component and priority of all MediaTek platforms. Regarding the Audio DSP vulnerability disclosed by Check Point, he said that MediaTek worked diligently to validate the issue and make appropriate mitigations available to all OEMs.

“We have no evidence it is currently being exploited. We encourage end-users to update their devices as patches become available and to only install applications from trusted locations such as the Google Play Store.  We appreciate the collaboration with the Check Point research team to make the MediaTek product ecosystem more secure.”

While hackers may be exploiting Android devices, the reality is, all devices can have vulnerabilities. And in most cases, cybercriminals can discover them and exploit them much faster than any security software can. Cybersecurity research teams like the ones from Check Point and other vendors are also continuing to discover more vulnerabilities in all types of devices.

For users, they need to make sure they check the types of apps they have on their devices and also remove any apps they feel are no longer relevant to them. These simple steps can often be the best way to secure devices avoid being hacked.