MediaTek has confirmed the existence of a bug which leaves all Android devices, smartphones and tablets, running on KitKat 4.4 vulnerable. The bug can be exploited by an attacker to gain access to private data of the victim like contacts and photos.
The bug was first reported by a security researcher Justin Case via a tweet. According to him, the bug could give root access to the attacker and let them change the read-only properties of the device. He said, “Root user could do many things, such as access data normally protected from the user/ other apps, or brick the phone, or spy on the user, monitor communications etc.”
As for the existence of the bug in the first place, MediaTek said it is because of a debugging feature which should have been disabled by the manufacturers before shipping the devices.
In a statement given to Gadget360, MediaTek said,
“We are aware of this issue and it has been reviewed by MediaTek’s security team. It was mainly found in devices running Android 4.4 KitKat, due to a de-bug feature created for telecommunication inter-operability testing in China. After testing, phone manufacturers should disable the de-bug feature before shipping smartphones. However, after investigation, we found that a few phone manufacturers didn’t disable the feature, resulting in this potential security issue.”
MediaTek refused to reveal the name of the smartphone manufacturers or the device models which are affected from the issue. But it said that it is working on fixing the issue and has started to alert the manufacturers about the same.