Critical bug for MediaTek-powered devices, including Amazon Fire tablets, is already being exploited 'in the wild'
MediaTek makes chips that power millions of devices. Some you've heard of, like the Amazon Fire HD tablet(s), others, like the Alcatel Tetra, you probably haven't. Almost all of them have something in common though: a bug in the CPU firmware that allows a simple script "root" the device itself.
This was first found by developers at XDA Forums, and almost every single 64-bit MediaTek CPU is vulnerable unless it's been patched. And some devices are patched since a recent update but the list isn't very long:
- Samsung has patched its phones
- Vivo has patched its phones
- Huawei and Honor phones with Android 8 or higher have been patched
- Oppo phones with Android 8 or higher have been patched
- Phones running Android 10 are immune
- Amazon Fire HD tablets may be patched if they have a specific firmware version.
That leaves a whole lot of unpatched devices with a critical exploit in the system that should have been wiped out a long time ago, as MediaTek released a firmware patch in May 2019 to developers who use the affected chipsets.
The dirty details of the whole thing are a really interesting read, even if you're not "into" Android security. This was originally discovered by XDA developer diplomatic as an easy way to root the Amazon Fire HD tablets, and things progressed from there. Eventually, Google was forced to get involved and worked with the XDA team to release the details in conjunction with a complete system-wide fix for any phone maker that's included as part of the March 2020 Android Security Bulletin.
MediaTek's Helio P95 chipset is here with minor AI and camera tweaks
Many of us aren't going to be affected because we don't use any MediaTek-powered devices, but worldwide we're talking about millions and millions of phones, tablets, and Android-powered set-top boxes. It's a pretty big deal. That doesn't mean that it's going to get fixed in any sort of timely or meaningful way, though.
For all the work MediaTek, XDA developers, and Google have done to matter the company which made your device has to send out an update. Let's be frank here: looking at the list of affected devices (which you can find at Mishaal Rahman's excellent write-up) it's obvious that many will never see this patch. That means it's up to the owners of these devices to be proactive.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
- Only download applications from official app storefronts like Google Play or Amazon's App Store.
- Read reviews of apps before you install them.
- Pay attention to all the permissions an app requests and if anything seems fishy, just say no.
- Remember that the company who made your device left you high and dry when you make your next purchase.
We want everyone's experience to be awesome when they use their phone or tablet. And even though there's a particularly nasty bug in some of them, and it may never be fixed, you still can. Just take a bit of extra time before you install any applications and you can be safe.
One of the best media consumption devices you can buy under $200.
If you plan on watching a lot of movies on your tablet, the Fire HD 10 is the clear winner. Its display is larger and higher density than the HD 8, it comes with more onboard storage, and the speakers are louder and clearer.
Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Threads.