Mediatek, a semiconductor manufacturer, has released a patch to address several vulnerabilities that allow attackers to intercept Android phone calls, execute commands, or elevate their privileges to a higher level.
The vulnerabilities include CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, which were all fixed in October, and CVE-2021-0673, which will be fixed in the upcoming update.
Since 43% of smartphones use Mediatek chips, the bug ensures that these devices are vulnerable to eavesdropping or malware infections while the update is not installed.
With these vulnerabilities in the hands of an attacker, several malicious activities could be carried out, including local privilege escalation attacks, sending messages to the DSP firmware, and most recently executing hidden code on the DSP chip.
Those using a MediaTek device that works on an older patch level should install mobile protection software from a verified vendor and refrain from risky practices such as installing APKs outside the Play Store.