Over at XDA Developers, Android enthusiasts tinker with the software that runs phones, tablets, and other pieces of tech. Primarily, modders are hobbyists who want to do simple things with their devices such as remove bloatware, flash a new ROM, or fix a broken phone.
However, one XDA modder came across an exploit in Mediatek chipsets — a lot of Mediatek chipsets. The modder was using this exploit to unlock the bootloaders of Amazon Fire tablets, which is a quite sought-after thing as doing so allows you to install the Google Play Store on Amazon’s cheap tablets.
Through a considerable amount of detective work, XDA realized that this exploit — nicknamed Mediatek-su — could potentially allow a malicious actor to do pretty much anything it likes on a victim’s smartphone. We’re talking everything from installing any apps they like, changing permissions for existing apps, and accessing private data. This discovery happened in early February.
After some further research, XDA concluded that Mediatek knew full well of this exploit nearly ten months ago. To that company’s credit, it released a patch for its chipsets to fix the vulnerability. However, Mediatek is not an OEM — it’s up to the manufacturer of a device to push that fix to its products.
Amazon, as one would expect, did just that. But Mediatek chips are used in hundreds of different smartphones and tablets from dozens of manufacturers. Many of these companies don’t have the resources or motivation to issue out Android updates, even ones as critical as this.
After figuring this all out, XDA went to Google.
Google decides to wait
With the high level of danger related to Mediatek-su, XDA assumed Google would use its considerable weight to force OEMs to issue Mediatek’s patch. However, Google ultimately told XDA to hold off on publishing any information about the security vulnerability until today — the day that Google would release the Android Security Bulletin for March 2020. Google’s assumption was that if as few people as possible knew about the exploit until its scheduled patch went out then the danger would be mitigated.
Of course, Google could have also released a special bulletin for an exploit of this magnitude. This would have been more than appropriate when you consider that the exploit has already been around for months and likely already caused plenty of damage.
Regardless, it still falls on the OEMs to fully fix this problem, and many of them simply won’t do it. This, unfortunately, means that there are likely thousands (or possibly millions) of devices out there that are, as of right now, completely vulnerable to this exploit. That means things like ransomware, adware, and other extremely problematic software hacks could infect those devices to an alarming degree.
It should be noted that Mediatek chipsets are primarily used in mid-range and budget devices. That means people who can’t afford flagship phones are in the most danger.
To see if your phone or tablet is one of the devices affected by Mediatek-su, you can find a list in the original XDA article here.