An exploit published by a developer is easy to use and has already been used to build malicious apps that gain root access on Android devices.

Google has addressed a high-severity flaw in MediaTek’s Command Queue driver that developers said affects millions of devices – and which has an exploit already circulating in the wild.

Also in its March 2020 Android Security bulletin, issued this week, Google disclosed and patched a critical security vulnerability in the Android media framework, which could enable remote code execution within the context of a privileged process.

The critical bug (CVE-2020-0032) can be exploited with a specially crafted file, according to the advisory. Other details were scant, but Google noted that it’s the most concerning vulnerability out of the entirety of the March update.

The MediaTek bug meanwhile is an elevation-of-privilege flaw (CVE-2020-0069) discovered by members of XDA-Developers (a forum for Android software modifications) — they said the bug is more specifically a root-access issue. Even though the March update is the bug’s first public disclosure, XDA members said in a posting this week that an exploit for it has been floating around since April last year. And, they said that it is now being actively used by cybercriminals in campaigns.

“Despite MediaTek making a patch available a month after discovery, the vulnerability is still exploitable on dozens of device models,” according to the alert. “Now MediaTek has turned to Google to close this patch gap and secure millions of devices against this critical security exploit.”

An XDA community member who goes by “diplomatic” was looking to gain root access to Amazon Fire tablets, which runs on the Android OS, in order to get rid of what developers said is “uninstallable bloatware” on the devices. Amazon has locked the environment down to keep users within its walled garden, according to the developers.

“The only way to root an Amazon Fire tablet (without hardware modifications) is to find an exploit in the software that allows the user to bypass Android’s security model,” according to the post. “In February of 2019, that’s exactly what XDA Senior Member diplomatic did when he published a thread on our Amazon Fire tablet forums. He quickly realized that this exploit was far wider in scope than just Amazon’s Fire tablets.”

In fact, the exploit works on “virtually all of MediaTek’s 64-bit chips,” developers said, translating to millions of devices.

diplomatic’s exploit is a script, dubbed “MediaTek-su” that grants users superuser access in shell. It also sets SELinux (the Linux kernel module that provides access control for processes), to the “highly insecure “permissive” state,” according to the post.

“For a user to get root access and set SELinux to permissive on their own device is shockingly easy to do: All you have to do is copy the script to a temporary folder, change directories to where the script is stored, add executable permissions to the script, and then execute the script,” XDA members explained.

After discovering the script and how dangerous it can be in February, the forum notified Google of the bug, members said. XDA noted that in January, Trend Micro found three malicious spyware apps in the Google Play Store, linked to the APT known as SideWinder. The analysis mentions in passing that the apps were using MediaTek-su to gain root access on Pixel devices – though XDA pointed out that researchers there likely didn’t realize that MediaTek-su was an unpatched exploit and didn’t think to notify vendors.

The consequences of a successful attack can be significant: With root access, any app can grant itself any permission it wants; and with a root shell, all files on the device, even those stored in private data directories of applications, are accessible.

“An app with root can also silently install any other app it wants in the background and then grant them whatever permissions they need to violate your privacy,” according to XDA members. “According to XDA Recognized Developer topjohnwu, a malicious app can even ‘inject code directly into Zygote by using ptrace,’ which means a normal app on your device could be hijacked to do the bidding of the attacker.”

Also in its March Android update, Google also patched a slew of other high-severity bugs and a handful of moderate flaws, across various components. In the media framework, Google addressed a high-severity elevation-of-privilege bug (CVE-2020-0033) and a high-severity information-disclosure issue (CVE-2020-0034) for instance. Other components with patches include the Android system, the Android framework, the Google Play system, the kernel and flexible printed circuits (FPC). It also issued advisories for high-severity bugs in third-party components, including from Qualcomm and the aforementioned MediaTek bug.

Android partners and OEMs were notified of the issues at least a month before publication of the March update in order to give them time to issue patches, as Samsung has done as well as Qualcomm. Source code patches for the issues were also released to the Android Open Source Project (AOSP) repository, according to the advisory.While the patch is now available, XDA members pointed out that MediaTek chipsets are found in dozens of budget and mid-tier Android devices from many different vendors, so the patching process is likely to take a while.