Android has quietly patched a critical security flaw affecting millions of devices containing chipsets from Taiwanese semiconductor MediaTek: a full year after the security vulnerability – which gives an attacker root privileges – was first reported.
Incredibly the exploit “dubbed MediaTek-SU” has been known by security researchers since at least February last year, when it was discovered by a member of the Android software modification forum XDA-Developers; they had initially used it to help Amazon Fire HD owners easily gain root privileges to and unlock their tablets
The vulnerability, CVE-2020-0069, lets any user (including any app on your phone) copy a script to their device and execute it to gain root access in shell.
MediaTek is the world’s fourth-largest fabless chipmaker.
It claims to power 1.5 billion devices a year.
The XDA moderator, know online as ‘diplomatic’ later turned their attention to other devices and found that the flaw worked on most devices containing MediaTek’s 64-bit, Arm-based chips. The exploit appears to have been widely used by malicious actors.
In January this year, Trend Micro spotted it being used by malicious Google Play Store applications, saying the apps were “using MediaTek-SU get root privileges”. (This appears to have been overlooked, owing to the same report also catching the first use in the wild of another more closely watched vulnerability, CVE-2019-2215).
The vulnerable chipsets power a wide range of low-end and mid-end smartphones, tablets, and set-top boxes around the world; many not patched regularly.
XDA Developers said MediaTek had told it has a security update ready since May of 2019, but been unable to push it down its extensive supply chain.
Computer Business Review was unable to reach MediaTek to confirm this.
With exploits being widely used in the wild, Android finally pushed out a patch in its monthly patch release yesterday, offering few details alongside it.
XDA-Developers editor Mishaal Rahman noted the XDA member who first spotted the bug “shared a script that users can execute to grant them superuser access in shell, as well as set SELinux, the Linux kernel module that provides access control for processes, to the highly insecure “permissive” state.”
“For a user to get root access and set SELinux to permissive on their own device is shockingly easy to do: All you have to do is copy the script to a temporary folder, change directories to where the script is stored, add executable permissions to the script, and then execute the script.”
Rahman added: “Google was so concerned about the repercussions of publicising MediaTek-su that they asked us to hold off on publishing this story until today.”
The XDA user who discover vulnerability says it affects devices from 2015 onwards, when MediaTek released the chipset MT6580.
Editor’s note: Computer Business Review has as many questions here as our readers probably do: Why hasn’t MediaTek done anything about this earlier, given evidence of wide abuse? Why has it taken Android’s team this long to step in? (We appreciate that patches for the hugely diverse Android ecosystem are not always easy to execute…) Why has it taken the vulnerability this long to get a CVE? If you’d like to comment, contact our editor on ed dot targett at cbronline dot com.