MediaTek-SU hacks phone from a simple app

Highlighting the extreme importance of keeping current with security updates for one's phone, MediaTek-SU was noted today by Google. In the Android Security Bulletin for March 2020, security vulnerability CVE-2020-0069 was detailed by Google. This is not a new exploit – in fact it's been out in the wild for almost a year.

Per a report on XDA Developers this week, the security vulnerability appeared in developer forums as early as April of 2019. This is the same vulnerability that appears with Google as CVE-2020-0069, only in XDA forums, it was dubbed MediaTek-SU. The name refers to the exploit's access – super user.

In MediaTek-SU, a code executed on the phone can give the user root access without dealing with a bootloader. Generally the bootloader is like the first locked door in the code of a phone. Once you've unlocked the bootloader, you can potentially open the second door – that's called gaining root access. Once you've got root access, you're basically free to edit and change what you like.

Gaining root access in an Android phone is like pulling C-3PO's back panel – you can make the device whatever you'd like. In the case of a malicious agent, this exploit can give them access to any data, any input, anything that goes in or out of the phone from the point at which they've gained access.

The most shocking bit about this exploit is the fact that it needn't have a human being present to execute malicious code. An app could send this command to the device without the user even knowing it's happened – behind the scenes.

MediaTek, for their part, found out about the exploit relatively quickly and issued a fix. This software fix patched the security hole – it should have all been over quickly. But not all manufacturers of devices with MediaTek processors took the time to update the Android phones they'd made. Some devices remained open to this exploit now for more than a year!

It would appear now that MediaTek's worked with Google to put the fix in the standard Android Security Update for March, giving it a far better chance of hitting (and fixing) all active Android devices that have MediaTek processors that'd otherwise be vulnerable.

If you've got a device that might have a MediaTek processor, you most certainly should check your device for the March Security Update as soon as possible. Head to Settings – System Updates, or Settings – About Phone – Updates, or a path similar to this, whatever your phone happens to have. Even if you're not sure what sort of processor is in your Android device right now, there's no harm in checking to make sure you get the security update package from Google ASAP.