A severe security vulnerability in Android devices powered by MediaTek chips is being actively exploited in the wild — but even though Google LLC has issued a patch, many devices are unlikely ever to receive it.

The vulnerability allows hackers to gain root access to a targeted device, giving them the ability to install their own applications.

The exploit was first discovered in February 2019 by a developer looking for a way to root Amazon.com Inc. Fire tablets, later developing a script to do so. Though designed for the Amazon Fire, the rooting function works on any Android devices using MediaTek chips. It does not affect devices running Android 10.

MediaTek Inc. is a Taiwanese semiconductor company that among its product lines produces low-end chips that can be used to power Android devices. Along with Amazon’s Fire tablets, the chip also powers low-end smartphones, tablets and media players manufactured by Nokia, LG Electronics Inc., Vivo Communication Technology Co. Ltd., Guangdong OPPO Mobile Telecommunications Corp. Ltd., Xiaomi Inc., RealMe and Motorola along with countless no-name Chinese manufacturers.

Google has released a patch for the vulnerability as part of its Android Security Bulletin for March 2020. Although some manufacturers have started pushing out the fix, the reality is that many affected devices will never receive it. Cheap Chinese manufacturers are notorious for not providing Android updates.

“This is a vulnerability within approximately two dozen MediaTek chipsets that are in millions of Android devices,” Chris Hazelton, director of security solutions mobile security company Lookout Inc., told SiliconANGLE. “If you have a device running a MediaTek chipset, you should add mobile security that detects when your device is rooted by a third party to protect from attacks using this vulnerability.”

Longer-term, he added, users should consider replacing their devices, since some device manufacturers such as Samsung have kernel protections in place to stop these types of exploits.

“IT and security teams for organizations should identify Android devices with MediaTek chips that are vulnerable,” Hazleton said. “If your organization has vulnerable devices used by employees, those devices should be monitored and eventually replaced.”

Photo: Solomon203/Wikimedia Commons