Google has disclosed a severe vulnerability affecting dozens of models of mid-range Android devices running on chips from MediaTek. Malicious Android apps have been exploiting the flaw since at least January 2020.
The elevation-of-privilege flaw, tracked as CVE-2020-0069, is disclosed in Google’s March 2020 Android bulletin and affects the MediaTek Command Queue driver.
The dangerous part about this bug is that an exploit has been floating around for almost a year called ‘MediaTek-su’, which enables temporary root access on a large number of MediaTek chips.
A developer who goes by the name ‘diplomatic’ used XDA-Developers’ forums to share a script that users can run to gain superuser (su) access.
SEE: IT pro’s guide to the evolution and impact of 5G technology (free PDF)
While it was originally intended for rooting Amazon Fire devices to modify them, any app can incorporate MediaTek-su and execute it to gain root access in shell, according to XDA-Developers. However, a malicious app’s root access won’t survive a device reboot.
TrendMicro reported in January that several malicious apps available on Google Play were using MediaTek-su to gain root access on Android devices.
The apps were using the exploit to collect infected devices’ location, battery status, files, a list of installed apps, screenshots and data from WeChat, Outlook, Twitter, Facebook, Gmail and Chrome. Google removed the offending apps at the time.
According to XDA-Developers, MediaTek says the vulnerability affects MediaTek devices with Linux Kernel versions 3.18, 4.4, 4.9, or 4.14 running Android versions 7 Nougat, 8 Oreo, or 9 Pie.
MediaTek devices running Android 10 are not vulnerable since “the access permission of CMDQ device nodes is also enforced by SELinux”, the company said.
MediaTek actually had patches available for the flaw in May 2019, which were rolled out by Amazon for its Fire OS devices. However, many OEMs using affected MediaTek chips hadn’t applied the fix and so the company reportedly sought Google’s help.
Now that Google has released a fix in its Android update, users with a MediaTek device should install them from their OEM.
According to a post on XDA-Developers Forums, the MediaTek-su exploit works against dozens of cheaper devices from Acer, Huawei, Lenovo, LG, Sony and ZTE. The full list includes:
- Acer Iconia One 10 B3-A30
- Acer Iconia One 10 B3-A40
- Alba tablet series
- Alcatel 1 5033 series
- Alcatel 1C
- Alcatel 3L (2018) 5034 series
- Alcatel 3T 8
- Alcatel A5 LED 5085 series
- Alcatel A30 5049 series
- Alcatel Idol 5
- Alcatel/TCL A1 A501DL
- Alcatel/TCL LX A502DL
- Alcatel Tetra 5041C
- Amazon Fire 7 2019 — up to Fire OS 6.3.1.2 build 0002517050244 only
- Amazon Fire HD 8 2016 — up to Fire OS 5.3.6.4 build 626533320 only
- Amazon Fire HD 8 2017 — up to Fire OS 5.6.4.0 build 636558520 only
- Amazon Fire HD 8 2018 — up to Fire OS 6.3.0.1 only
- Amazon Fire HD 10 2017 — up to Fire OS 5.6.4.0 build 636558520 only
- Amazon Fire HD 10 2019 — up to Fire OS 7.3.1.0 only
- Amazon Fire TV 2 — up to Fire OS 5.2.6.9 only
- ASUS ZenFone Max Plus X018D
- ASUS ZenPad 3s 10 Z500M
- ASUS ZenPad Z3xxM(F) MT8163-based series
- Barnes & Noble NOOK Tablet 7″ BNTV450 & BNTV460
- Barnes & Noble NOOK Tablet 10.1″ BNTV650
- Blackview A8 Max
- Blackview BV9600 Pro (Helio P60)
- BLU Life Max
- BLU Life One X
- BLU R1 series
- BLU R2 LTE
- BLU S1
- BLU Tank Xtreme Pro
- BLU Vivo 8L
- BLU Vivo XI
- BLU Vivo XL4
- Bluboo S8
- BQ Aquaris M8
- CAT S41
- Coolpad Cool Play 8 Lite
- Dragon Touch K10
- Echo Feeling
- Gionee M7
- HiSense Infinity H12 Lite
- Huawei GR3 TAG-L21
- Huawei Y5II
- Huawei Y6II MT6735 series
- Lava Iris 88S
- Lenovo C2 series
- Lenovo Tab E8
- Lenovo Tab2 A10-70F
- LG K8+ (2018) X210ULMA (MTK)
- LG K10 (2017)
- LG Tribute Dynasty
- LG X power 2/M320 series (MTK)
- LG Xpression Plus 2/K40 LMX420 series
- Lumigon T3
- Meizu M5c
- Meizu M6
- Meizu Pro 7 Plus
- Nokia 1
- Nokia 1 Plus
- Nokia 3
- Nokia 3.1
- Nokia 3.1 Plus
- Nokia 5.1
- Nokia 5.1 Plus/X5
- Onn 7″ Android tablet
- Onn 8″ & 10″ tablet series (MT8163)
- Oppo A5s
- Oppo F5 series/A73 — Android 8.x only
- Oppo F7 series — Android 8.x only
- Oppo F9 series — Android 8.x only
- Oukitel K12
- Protruly D7
- Realme 1
- Sony Xperia C4
- Sony Xperia C5 series
- Sony Xperia L1
- Sony Xperia L3
- Sony Xperia XA series
- Sony Xperia XA1 series
- Southern Telecom Smartab ST1009X (MT8167)
- TECNO Spark 3 series
- Umidigi F1 series
- Umidigi Power
- Wiko Ride
- Wiko Sunny
- Wiko View3
- Xiaomi Redmi 6/6A series
- ZTE Blade A530
- ZTE Blade D6/V6
- ZTE Quest 5 Z3351S