Google today reiterated the importance of keeping Android smartphones up-to-date with security updates, and users of devices using MediaTek chip based solutions should be more vigilant.In its march 2020 security bulletin, it pointed out a cve-2020-0069 security vulnerability that existed for up to a year.XDA developers wrote in a report this week that they knew about it as early as April 2019.
Some apps abusing MediaTek Su vulnerability in play store (figure from:TrendMicro)
Similar to the vulnerability disclosed by Google in cve-2020-0069, the XDA developers forum calls it mediatek-su, with a suffix indicating that malicious programs can gain access to super users.
By using MediaTek Su security vulnerability, a malicious program can obtain almost complete function permission without first obtaining root permission of the device (handling bootloader boot program), and even arbitrarily edit and modify relevant content.
From the moment he gets access, he can access any data, input and incoming and outgoing content. Applications can even execute malicious code in the background, sending commands to devices without the user's knowledge.
MediaTek soon discovered the vulnerability and released a fix, but unfortunately, device manufacturers did not have much incentive to push security updates to users. After a year, many users are still exposed to risks.
The good news is that MediaTek and Google are now working more closely to integrate this fix into the Android standard security update in March. After manufacturers push OTA updates, please install and deploy them in time to eliminate this security risk.