New Delhi: Taiwanese chipset manufacturer MediaTek's chips that are found in 37 per cent of the world’s smartphones, including those from Xiaomi, Oppo, Realme, Vivo among others, have a security flaw inside the chip’s audio processer. Left unpatched, the vulnerabilities could have enabled a hacker to eavesdrop on an Android user and also hide a malicious code in the MediaTek-powered handsets. The chipmaker has patched these security issues.


According to security researchers at Check Point Research, MediaTek chips contain a special AI processing unit (APU) and audio digital signal processor (DSP) to improve media performance and reduce CPU usage. Both the APU and the audio DSP have custom microprocessor architectures, making MediaTek DSP a unique and challenging target for security research.


The researchers wanted to find out that to what extent MediaTek DSP could be used as an attack vector for threat actors. For the first time, they was able to reverse engineer the MediaTek audio processor, thus, revealing several security flaws.


“MediaTek is known to be the most popular chip for mobile devices. Given its ubiquity in the world, we began to suspect that it could be used as an attack vector by potential hackers. We embarked on research into the technology, which led to the discovery of a chain of vulnerabilities that potentially could be used to reach and attack the audio processor of the chip from an Android application. Left unpatched, a hacker potentially could have exploited the vulnerabilities to listen in on conversations of Android users," Slava Makkaveev, Security Researcher at Check Point Software, said in a statement.


The security bugs could have been misused by the device manufacturers themselves to create a massive eavesdrop campaign, the investigation has revealed.


"Although we do not see any specific evidence of such misuse, we moved quickly to disclose our findings to MediaTek and Xiaomi. In summary, we proved out a completely new attack vector that could have abused the Android API. Our message to the Android community is to update their devices to the latest security patch in order to be protected," Makkaveev added.


Left unpatched, the security vulnerabilities could have enabled a hacker to eavesdrop on an Android user and/or hide malicious code. Since the vulnerability has been fixed for all Android smartphone makers, Vivo, Oppo, Realme and Xiaomi phone users with a handset powered by MediaTek need to ensure they download the latest update on their device to rid of any security bug.