Critical bug for MediaTek-powered devices, including Amazon Fire tablets, is already being exploited 'in the wild'

Amazon Fire HD 10
Amazon Fire HD 10 (Image credit: Phil Nickinson / Android Central)

MediaTek makes chips that power millions of devices. Some you've heard of, like the Amazon Fire HD tablet(s), others, like the Alcatel Tetra, you probably haven't. Almost all of them have something in common though: a bug in the CPU firmware that allows a simple script "root" the device itself.

This was first found by developers at XDA Forums, and almost every single 64-bit MediaTek CPU is vulnerable unless it's been patched. And some devices are patched since a recent update but the list isn't very long:

  • Samsung has patched its phones
  • Vivo has patched its phones
  • Huawei and Honor phones with Android 8 or higher have been patched
  • Oppo phones with Android 8 or higher have been patched
  • Phones running Android 10 are immune
  • Amazon Fire HD tablets may be patched if they have a specific firmware version.

That leaves a whole lot of unpatched devices with a critical exploit in the system that should have been wiped out a long time ago, as MediaTek released a firmware patch in May 2019 to developers who use the affected chipsets.

The dirty details of the whole thing are a really interesting read, even if you're not "into" Android security. This was originally discovered by XDA developer diplomatic as an easy way to root the Amazon Fire HD tablets, and things progressed from there. Eventually, Google was forced to get involved and worked with the XDA team to release the details in conjunction with a complete system-wide fix for any phone maker that's included as part of the March 2020 Android Security Bulletin.

MediaTek's Helio P95 chipset is here with minor AI and camera tweaks

Many of us aren't going to be affected because we don't use any MediaTek-powered devices, but worldwide we're talking about millions and millions of phones, tablets, and Android-powered set-top boxes. It's a pretty big deal. That doesn't mean that it's going to get fixed in any sort of timely or meaningful way, though.

For all the work MediaTek, XDA developers, and Google have done to matter the company which made your device has to send out an update. Let's be frank here: looking at the list of affected devices (which you can find at Mishaal Rahman's excellent write-up) it's obvious that many will never see this patch. That means it's up to the owners of these devices to be proactive.

  • Only download applications from official app storefronts like Google Play or Amazon's App Store.
  • Read reviews of apps before you install them.
  • Pay attention to all the permissions an app requests and if anything seems fishy, just say no.
  • Remember that the company who made your device left you high and dry when you make your next purchase.

We want everyone's experience to be awesome when they use their phone or tablet. And even though there's a particularly nasty bug in some of them, and it may never be fixed, you still can. Just take a bit of extra time before you install any applications and you can be safe.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.