37% of World’s Smart Phones Could Have Been Used for Eavesdropping

A problem with Mediatek chips - which has now been addressed - meant malicious android apps could've accessed phone audio.
Aaron Drapkin

Millions of Android users have a chip in their phones that could have allowed malicious apps from the app store to eavesdrop on their conversations, a security research team has found. 

The microchip that contains the issue is present in about 37% of the world’s smartphones, and Android users were potentially left open to threat actors before the issue was patched. 

Stories like this are a reminder that you have to take security into your own hands and bolster your mobile security provisions rather than relying on, say, the company that makes your phone. Anti virus software, for instance, is just as useful on your phone as it is on a traditional computer. 

What was the Issue with the Chip?

Mediatek’s System on a Chip (SoC) includes two things, one called an AI Processing Unit (APU) and another called a Digital Signal Processor (DSP). In short, they help with improving media performance and reducing CPU usage in devices that house them. 

Checkpoint, the security firm that identified the issue, said in their research findings that they “reverse-engineered the MediaTek audio DSP firmware despite the unique opcodes and processor registers, and discovered several vulnerabilities that are accessible from the Android user space.”

A “malformed inter-processor”, Checkpoint claim, could be used to hide and subsequently execute malicious code inside the DSP firmware, and because the DSP inside a device has access to incoming audio (it processes digital signals), it could be used to listen to the conversations of whoever is near or on the phone. 

Interestingly – and quite concerningly – none of the vulnerabilities required interaction with the user to be exploited. However, thankfully, there seems to be little evidence the vulnerability has been exploited in the wild. 

The vulnerabilities being tracked were named CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, all three of which were fixed in October. 

A fourth vulnerability, dubbed CVE-2021-0673 that was presented in Mediatek Hardware Abstraction Layer (HAL) was also fixed in the same month, but this won’t be announced until December. The researchers at Checkpoint were able to use this to disrupt the hardware inside the Mediatek chip they were analyzing. 

Why Android Users Were at Risk

Checkpoint estimates that these vulnerabilities were present in more than one-third of the world’s smartphones. 

In the second quarter of this year, around 43% of the smartphones shipped contained the Mediatek Chip, up from 24% from the same period in the year prior. 

If a malicious app on the Android store was coded sufficiently, it could, in theory, access the internal AI and related audio data. The flaw is certainly a complicated one and would have taken some significant technical nous to actually achieve it, but it’s entirely possible. 

There is a feature on the Google Play Store called Play Protect, which can scan apps on phones to see if there’s malware present, but it’s unclear whether Play Protect would have picked up Apps coded to exploit this vulnerability. 

Security Matters – Especially on Phones

Whenever we think of computer viruses, hackers, scammers, and fraudsters, many people’s mind goes to their desktop PC or Laptop. But phones are just smaller computers and are equally as susceptible to malware infections and phishing attacks.

Nowadays, it’s vitally important that you invest in adequate security provisions on your phone as well as the computer you use for working, gaming, and watching Netflix. VPNs, for instance, are one of the most useful pieces of tech you can invest in for your phone – although they're more of a privacy tool first and foremost. 

Antivirus software is available for phones too, which is a good idea to have if you have an Android considering how many Android apps on the Google Play Store have been found to contain malware and used to orchestrate phishing attacks

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Aaron Drapkin is a Senior Writer at Tech.co. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol three years ago. As a writer, Aaron takes a special interest in VPNs and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, The Week, and Politics.co.uk covering a wide range of topics.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals