Androids With MediaTek Chips Need This Month’s Security Update ASAP

Androids With MediaTek Chips Need This Month’s Security Update ASAP
Photo: <a href="https://www.shutterstock.com/image-photo/belgrade-serbia-february-01-2020-mobile-1634592556">Shutterstock</a>

While everyone should always grab the latest security updates for their Androids whenever possible, you’re going to want to pay extra-special attention to this month’s update, and grab it immediately, if your device has any MediaTek chips on the inside.

To make the process a little easier, here’s a list of affected devices courtesy of XDA-Developers, where the MediaTek security exploit was initially discovered. (More on that in a bit.) There are 93 devices in all; if yours isn’t on this list, or you want to double-check that you’re affected, you can see if these ADB commands successfully run on your device. If so, your MediaTek chip could be exploited to give an attacker root access to your device.

As for that list:

  1. Acer Iconia One 10 B3-A30

  2. Acer Iconia One 10 B3-A40

  3. Alba tablet series

  4. Alcatel 1 5033 series

  5. Alcatel 1C

  6. Alcatel 3L (2018) 5034 series

  7. Alcatel 3T 8

  8. Alcatel A5 LED 5085 series

  9. Alcatel A30 5049 series

  10. Alcatel Idol 5

  11. Alcatel/TCL A1 A501DL

  12. Alcatel/TCL LX A502DL

  13. Alcatel Tetra 5041C

  14. Amazon Fire 7 2019 — up to Fire OS 6.3.1.2 build 0002517050244 only

  15. Amazon Fire HD 8 2016 — up to Fire OS 5.3.6.4 build 626533320 only

  16. Amazon Fire HD 8 2017 — up to Fire OS 5.6.4.0 build 636558520 only

  17. Amazon Fire HD 8 2018 — up to Fire OS 6.3.0.1 only

  18. Amazon Fire HD 10 2017 — up to Fire OS 5.6.4.0 build 636558520 only

  19. Amazon Fire HD 10 2019 — up to Fire OS 7.3.1.0 only

  20. Amazon Fire TV 2 — up to Fire OS 5.2.6.9 only

  21. ASUS ZenFone Max Plus X018D

  22. ASUS ZenPad 3s 10 Z500M

  23. ASUS ZenPad Z3xxM(F) MT8163-based series

  24. Barnes & Noble NOOK Tablet 7″ BNTV450 & BNTV460

  25. Barnes & Noble NOOK Tablet 10.1″ BNTV650

  26. Blackview A8 Max

  27. Blackview BV9600 Pro (Helio P60)

  28. BLU Life Max

  29. BLU Life One X

  30. BLU R1 series

  31. BLU R2 LTE

  32. BLU S1

  33. BLU Tank Xtreme Pro

  34. BLU Vivo 8L

  35. BLU Vivo XI

  36. BLU Vivo XL4

  37. Bluboo S8

  38. BQ Aquaris M8

  39. CAT S41

  40. Coolpad Cool Play 8 Lite

  41. Dragon Touch K10

  42. Echo Feeling

  43. Gionee M7

  44. HiSense Infinity H12 Lite

  45. Huawei GR3 TAG-L21

  46. Huawei Y5II

  47. Huawei Y6II MT6735 series

  48. Lava Iris 88S

  49. Lenovo C2 series

  50. Lenovo Tab E8

  51. Lenovo Tab2 A10-70F

  52. LG K8+ (2018) X210ULMA (MTK)

  53. LG K10 (2017)

  54. LG Tribute Dynasty

  55. LG X power 2/M320 series (MTK)

  56. LG Xpression Plus 2/K40 LMX420 series

  57. Lumigon T3

  58. Meizu M5c

  59. Meizu M6

  60. Meizu Pro 7 Plus

  61. Nokia 1

  62. Nokia 1 Plus

  63. Nokia 3

  64. Nokia 3.1

  65. Nokia 3.1 Plus

  66. Nokia 5.1

  67. Nokia 5.1 Plus/X5

  68. Onn 7″ Android tablet

  69. Onn 8″ & 10″ tablet series (MT8163)

  70. OPPO A5s

  71. OPPO F5 series/A73 — Android 8.x only

  72. OPPO F7 series — Android 8.x only

  73. OPPO F9 series — Android 8.x only

  74. Oukitel K12

  75. Protruly D7

  76. Realme 1

  77. Sony Xperia C4

  78. Sony Xperia C5 series

  79. Sony Xperia L1

  80. Sony Xperia L3

  81. Sony Xperia XA series

  82. Sony Xperia XA1 series

  83. Southern Telecom Smartab ST1009X (MT8167)

  84. TECNO Spark 3 series

  85. Umidigi F1 series

  86. Umidigi Power

  87. Wiko Ride

  88. Wiko Sunny

  89. Wiko View3

  90. Xiaomi Redmi 6/6A series

  91. ZTE Blade A530

  92. ZTE Blade D6/V6

  93. ZTE Quest 5 Z3351S

Screenshot: David Murphy

You’ll want to make sure your device is running Google’s March 2020 security update as soon as it’s available for your device, because the MediaTek-su exploit, as it’s known, allows an attacker to obtain root access to your device simply by running a script. That doesn’t sound like that scary of an issue on paper, but a post from XDA-Developers explains why it’s a big deal:

…the typical way to achieve root access on an Android device is to first unlock the bootloader, which disables verification of the boot partition. Once the bootloader is unlocked, the user can introduce a superuser binary to the system and also a superuser management app to control which processes have access to root. Unlocking the bootloader is intentionally disabling one of the key security features on the device, which is why the user has to explicitly allow it to happen by typically enabling a toggle in Developer Options and then issuing an unlock command to the bootloader. With MediaTek-su, however, the user does not have to unlock the bootloader to get root access. Instead, all they have to do is copy a script to their device and execute it in shell. The user isn’t the only one that can do this, though. Any app on your phone can copy the MediaTek-su script to their private directory and then execute it to gain root access in shell.

The one weakness of MediaTek-su isn’t much of one; a malicious app would have to set up a script that runs every time you power up your device, as rebooting your Android removes the temporary root privileges. Still, that shouldn’t be difficult for a savvy attacker to overcome, and an app that has root access to your device has basically nullified its security protections. Not only can it grant itself all the permissions it wants without your input or confirmation, but it can install any apps it wants to in the background of your device without you ever knowing about them.

To put it another way: When an app you don’t want on your device suddenly has root access to your device, it can make your Android life hell. All the technical details are fascinating, if you feel like digging into XDA-Developers’ article, but the end result is the same: Check for and install the monthly Android security update as soon as you can. Pull up Settings, tap on System, and look for the option for updating your Android, which might be obvious or buried under an Advanced menu (depending on your device).

Log in to comment on this story!