Android MediaTek devices open to de-bugging (hacking aplenty)

Chris Burns - Jan 29, 2016
Android MediaTek devices open to de-bugging (hacking aplenty)

Earlier this month a potential security issue in Android devices with MediaTek processor was found by researcher Justin Case. This issue apparently exists in Android devices that’ve gone through the review process with their manufacturers but have not had a “debug” feature deactivated before shipping. While MediaTek is working on a fix for this issue across all devices, there are still smartphones and/or tablets out in the wild with this vulnerability open, and devices hackable with a simple software “flick of a switch” so to speak.

Back on January 12th, Case reported to MediaTek the issue at hand. At that time, MediaTek responded to Case with the following: “Hi, we have been working on a patch and expect it to be ready shortly. Thanks for being on the lookout though. Inputs always welcome!”

These comments were made over Twitter due to MediaTek’s lack of a security concern email and/or comment form. They’d be following up with their “Product Security Taskforce”, so they said.

When asked why MediaTek does not have a proper bug-reporting method, they responded as follows: “We’re assessing how to garner users’ feedback in a more formal manner and will get back to you. Cheers.”

Note that the device being used to show this permissions break was an Obi Alligator S454. Never heard of it? You’re not alone. This is a device that was launched back in November of 2014, running a MediaTek MT6582.


What can you do as an Android smartphone user with a MediaTek MT6582 processor inside for now? Not a whole lot. Keep your device off the internet, if you’re extremely worried.

MediaTek gave the following quote on the matter to the folks at NDTV:

“We are aware of this issue and it has been reviewed by MediaTek’s security team. It was mainly found in devices running Android 4.4 KitKat, due to a de-bug feature created for telecommunication inter-operability testing in China.”

“After testing, phone manufacturers should disable the de-bug feature before shipping smartphones. However, after investigation, we found that a few phone manufacturers didn’t disable the feature, resulting in this potential security issue.” – MediaTek Spokesperson

In a nutshell: What’s happening here is that MediaTek processor-toting Android devices have a debug feature that allows users to enable root access. This could be bad if the wrong person got ahold of your phone, or access to your phone via an app. This feature was supposed to be disabled by manufacturers before shipping, but not all manufacturers did their due diligence.

Not that they should have had to have worried about this in the first place, because these checks should not have been removed by MediaTek from the code put in place by Google.

At this time we do not know the full list of devices affected by this bug. You can, however, get a full list of devices running MediaTek processors on Wikipedia.

Must Read Bits & Bytes