MediaTek is the leading manufacturer of processors integrated into a large number of smartphones, tablets, speakers, routers and even SmartTV that you use every day.
According to a discovery made by members of the Android XDA Developers developer forum, most MediaTek processors are affected by a serious security vulnerability that would give full control of the device to a remote attacker.
This leaves billions of devices of all kinds at risk since the brand’s processors are usually integrated into low-end smartphones or affordable devices, which account for the highest proportion of manufacturers’ sales.
The finding took place when one of the members of that forum investigated how to unlock the boot system of the Amazon Fire tablets that would allow him to install Google Play on the Amazon device. The vulnerability, which has been registered under the name of Mediatek-us in clear reference to its characteristics, would allow an attacker to act as a superuser (technically known as SU) taking full control of the device.
This is a carte blanche for attacks with malware, ransomware, and threats of different kinds that would seriously jeopardize the security and privacy of millions of mobiles and all kinds of devices.
Those responsible for finding Mediatek-us immediately contacted MediaTek, which claimed to have been aware of the vulnerability since May 2019 and that there is already a patch to fix it but that, with few exceptions, no manufacturer has done nothing to implement it.
Amazon did deploy it among its devices as soon as it was recorded, but its example did not spread among other manufacturers. The context is simple to understand: it is a problem that only affects low-cost devices, so manufacturers are reluctant to invest money and resources to implement the patch that would solve it.
Surprised with the news received from MediaTek, those responsible for the Android forum contacted Google to let them know that many of the devices that work under their operating system are vulnerable.
Google’s response was an express request to the forum not to make public the information available until the publication of its March security bulletin, forcing manufacturers to solve that vulnerability.
However, this Google newsletter is only a reference list to solve the problems of smartphones that receive the Google security update, something that millions of low-end devices with just over a year will never do and does not seem to matter to no one.