After security researcher Justin Case tweeted that a software bug related to MediaTek was affecting Android 4.4 devices, leaving them vulnerable to chipset-based malware hacks, the Taiwan-based company has confirmed that KitKat devices – running its chipsets – were at risk.
Official sources confirmed that the bug was a result of some smartphone makers failing to follow MediaTek's instruction to disable the debug feature before shipping the devices to consumers. The chipmaker did not reveal the names of phone manufacturers responsible for the mess, hence, it is not known which devices were affected by the bug.
Nevertheless, affected KitKat devices could allow exploits or malware to gain unauthorised root access to its system including access to private photos and contacts or brick the device or spy on communication channels, reports Gadgets360 citing Case's theory.
Case had this to say, while explaining how the bug could be exploited: "[MediaTek has] 'nerved' the property space, they made it so these properties can be changed, and changed by anyone/app. A malicious app could set the 'ro.secure' property to 0, ro.debuggable one to 1, ro.adb.secure prop to 0 (this would mean ADB didn't need authentication) and then enable the ADB over Wi-Fi property, and get a local root shell."
Although a large number of devices could be running Android 4.4 with MediaTek installed, the chipset-maker did not reveal the number of affected handsets. The company, however, clarified that "the issue only affects certain manufacturers" and certain "portion of devices for those manufacturers".
MediaTek has reportedly taken measure to alert all manufacturers, who use their chipsets and make them aware of this issue.