The issue was first reported on the XDA forum back in April 2019.
The exploit was successfully tested on all MediaTek 64-bit chipsets used in several devices including Motorola and OPPO.
The vulnerability allowed an attacker to install a malicious application on the device and have unrestricted access to all the files including private data directories.
The that was reported in Androids back in April 2019 was finally taken care of by Google. The critical vulnerability affected millions of users using devices with MediaTek chips (now tracked as CVE-2020-0069). The issue was first reported on the XDA forum, one of the largest forums for Android software modifications. Overall, Google published patches for over 70 software vulnerabilities in its Android Security bulletin.
MediaTek is a large Taiwanese chip design company that provides chips for wireless communications, High-definition television, and devices like smartphones and tablets. The vulnerability is a rootkit lodged in the CPU's firmware. It allows a simple script to root Android devices that use nearly any of MediaTek's 64-bit chips, so it has compromised hundreds of budget and mid-range smartphone, tablet and set-top box models, XDA says.
The Amazon Fire tablets are heavily guarded, and the tablet manufacturer does not provide an official method to unlock the bootloader of Fire tablets. The only way to root the Fire tablet without hardware modifications is to find a loophole in the software itself that bypasses model. An active member of the forum did just that and hit the bull’s eye only to discover that the exploit had a greater outreach and not just limited to the Amazon Fire Tablet.
The exploit was successfully tested on all MediaTek 64-bit chipsets used in several devices including Motorola, OPPO, Sony, Alcatel, Amazon, ASUS, Blackview, Realme, Xiaomi, and more. On gaining root shell access and privileges, an attacker can install a malicious application on the device and have unrestricted access to all the files including private data directories.
MediaTek chips power hundreds of budget and mid-range smartphone models, cheap tablets, and off-brand set-top boxes, most of which are sold without the expectation of timely updates from the manufacturer. Many devices still affected by MediaTek-su are thus unlikely to get a fix for weeks or months after today’s disclosure, if they get one at all.
- XDA Developers
This was a grave concern and thus reported to MediaTek immediately. However, XDA states that although MediaTek released a security patch to fix the issue in a month’s time, it was continued to be exploited in the wild by many hacking groups until recently.
MediaTek turned to Google for a helping hand, after failing to fix the issue and considering the high severity of it, in February 2020. Google’s engineers obliged as it also affected its flagship Android mobile device brand – Pixel. On March 3, 2020, Google released an Android Security Bulletin for March 2020 in which it announced the fixture of over 70 various issues affecting its Android devices including CVE-2020-0069.
Earlier in 2019, Google’s security researchers discovered that an iPhone could be turned into a surveillance tool exposing a victim’s sensitive information including contacts, Live Location, chat history, emails, photos, and passwords. A total of fourteen vulnerabilities spread across five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes were discovered and later fixed.
Now that Google's March 2020 security patch has been released, most devices should ideally be able to update it until and unless the manufacturer releases it further.