MediaTek Audio DSP Vulnerability: How a Nothing Phone Could Have Been Hacked (Except It Wasn't)

MediaTek Audio DSP Vulnerability: How a Nothing Phone Could Have Been Hacked (Except It Wasn't)

A security researcher at Check Point Software found a way to turn MediaTek's audio chip into a silent eavesdropping device. The MediaTek audio DSP vulnerability affected roughly 37% of the world's smartphones. Any malicious Android app could have exploited it to listen to your conversations without your knowledge. That includes phones from Xiaomi, Oppo, Realme, Vivo, and yes, devices running MediaTek Dimensity chips like the Nothing Phone (2a).

Except nobody got hacked. Not a single user. Here's the story of how one of the scariest mobile security flaws in recent memory was found, reported, and patched before it ever became a real-world threat.

What Is the MediaTek Audio DSP Vulnerability?

In November 2021, Slava Makkaveev, Security Researcher at Check Point Software, published a detailed technical writeup that lit up the Android security community. His team had reverse-engineered the firmware running on MediaTek's audio Digital Signal Processor (DSP), a dedicated chip inside MediaTek SoCs that handles audio processing independently from the main CPU.

The DSP runs on a custom Tensilica Xtensa microprocessor architecture. MediaTek extends this with proprietary instruction sets, which is supposed to make the firmware harder to analyze. It didn't stop Check Point.

What they found was bad. Really bad. By chaining together several vulnerabilities (tracked as CVE-2021-0661, CVE-2021-0662, CVE-2021-0663, and CVE-2021-0673), an attacker could craft a malicious Android app that would escalate privileges from regular user space all the way into the audio processor. Once there, the attacker could intercept audio streams. Phone calls. Conversations happening near the device.

The attack path worked like this: a seemingly innocent app installed from any source could communicate with the audio driver, exploit the vulnerabilities to gain elevated permissions, and then execute code directly on the DSP. The user would never see a notification. No permissions dialog. Nothing.

Having worked on systems where privilege escalation is the nightmare scenario, I can tell you this is about as bad as it gets in mobile security. The DSP sits below the operating system's security model. Once you're there, Android's sandboxing can't help you.

How Check Point Discovered the MediaTek DSP Flaw

The research team used a rooted Xiaomi Redmi Note 9 5G as their testing device. This phone runs the MT6853 chipset, MediaTek's Dimensity 800U. They chose it because it was widely available and representative of a modern MediaTek SoC.

The first challenge was understanding how Android communicates with the audio DSP in the first place. There has to be a driver that bridges the application processor (where Android runs) and the DSP (where audio gets processed). Check Point identified the relevant media drivers on the device and started mapping the inter-processor communication (IPC) channels.

The harder part was the firmware itself. MediaTek uses custom Tensilica Xtensa opcodes, meaning the instruction set isn't standard. You can't just throw the firmware binary into a disassembler and read it. The Check Point team had to figure out MediaTek's custom instructions and processor registers to make sense of the code.

I've shipped enough features to know that finding bugs in your own code is hard enough. Finding exploitable vulnerabilities in proprietary firmware running on a custom processor architecture with undocumented instructions? That's a completely different league.

This also wasn't Check Point's first rodeo with mobile DSP chips. They had previously conducted research on Qualcomm's Snapdragon DSP in a project called "Achilles," where they found hundreds of vulnerable pieces of code. The MediaTek research was a natural extension: if Qualcomm's DSP had issues, would MediaTek's?

Yes. Yes it would.

Why the Nothing Phone (2a) Isn't at Risk Today

Here's where the story gets good. The Nothing Phone (2a), released in March 2024, runs a MediaTek Dimensity 7200 Pro chipset. It's a MediaTek chip. So should Nothing Phone owners be worried?

No.

Check Point followed a responsible disclosure process. They reported the vulnerabilities to MediaTek before publishing anything. MediaTek acknowledged the issues, developed fixes, and released patches in their October 2021 security bulletin. That was more than two years before the Nothing Phone (2a) even existed.

Every MediaTek-powered device that has received Android security updates since late 2021 has the fix. The Nothing Phone (2a), shipping in 2024, was never vulnerable to this specific attack chain. The firmware on the Dimensity 7200 Pro was built after the patches were applied.

This is one of those things where the boring answer is actually the right one. The system worked. Researcher finds bug, reports it privately, vendor patches it, users get the fix through regular updates. No drama, no zero-day exploitation, no mass surveillance scandal.

But think about the alternative for a second. If Makkaveev had been a malicious actor instead of a security researcher, those vulnerabilities could have been weaponized and sold. With 37% of the world's smartphones and IoT devices running MediaTek SoCs, according to Check Point's own analysis, the blast radius would have been enormous.

The Responsible Disclosure Process That Saved Millions of Phones

Responsible disclosure doesn't get enough credit. It's the agreement between researchers and vendors that works roughly like this: I found a way to break your product. I'll tell you privately, give you time to fix it, and only publish the details after users are protected.

In practice, it's messy.

MediaTek had to develop patches for multiple CVEs across a chip architecture that's embedded in hundreds of different phone models from dozens of manufacturers. Then those patches had to flow through the Android security update pipeline to OEMs, who had to integrate them into their own firmware builds and push them to users. That chain has a lot of links, and any one of them can break.

In this case, it worked. MediaTek confirmed the issues, classified them, and had fixes ready for the October 2021 Android security bulletin. As Dan Goodin, Security Editor at Ars Technica, reported at the time, MediaTek fixed the flaws after being notified by Check Point, and the patches were distributed through the standard Android update process.

I've seen the alternative play out too many times. When responsible disclosure breaks down, when researchers go public before patches exist, or when vendors sit on reports and do nothing, the result is exploitation in the wild. The five Chrome zero-days in two weeks situation showed what happens when vulnerabilities get weaponized faster than they get patched. The MediaTek story is the version where everything goes right.

But there's a real problem hiding behind this success story. The patch only helps if your phone actually receives it. Budget Android phones, the exact market segment where MediaTek dominates, are notorious for slow or nonexistent security updates. A phone that stopped getting updates in 2020 would have remained vulnerable even after MediaTek released the fix. That's millions of devices.

Are MediaTek Chips Less Secure Than Qualcomm?

This is the question everyone asks after a story like this, and honestly, it's the wrong question.

Both MediaTek and Qualcomm have had serious DSP vulnerabilities discovered by security researchers. Check Point found issues in both. Qualcomm's Snapdragon chips had the Achilles vulnerabilities. MediaTek had the audio DSP flaws. The existence of vulnerabilities doesn't mean one vendor is "less secure" than another. It means DSP firmware, running on custom processor architectures with minimal security scrutiny, is an attack surface the industry has chronically ignored.

What actually differentiates chip vendors on security is how they respond when vulnerabilities are found. MediaTek's response here was solid: they acknowledged the issues quickly, developed patches, and coordinated disclosure with Check Point. That's what you want to see.

The bigger concern isn't MediaTek versus Qualcomm. It's the Android update pipeline. If you're buying a $200 phone that gets two years of updates, you're inherently more exposed than someone with a Pixel getting five years of monthly patches. The chip is the same. The difference is whether the fix reaches your device.

After 14+ years in this industry, I've come to believe the weakest link in mobile security isn't the silicon. It's the gap between a patch being written and a user's phone actually installing it. That's where real-world exploitation happens.

If you're interested in how security vulnerabilities hide in unexpected places, I wrote about a similar pattern with invisible Unicode attacks lurking in source code. It's always the same story: the attack surface nobody's watching is the one that gets exploited.

What This Means Going Forward

The MediaTek audio DSP vulnerability story ended well. But it exposed a structural truth about smartphone security that hasn't changed: the chips inside our phones run firmware that most security teams never audit, on processor architectures that most researchers can't easily analyze, behind proprietary instruction sets designed to prevent exactly the kind of scrutiny that found these bugs.

MediaTek is now the world's largest smartphone chip vendor. Their silicon powers everything from budget phones in emerging markets to the Nothing Phone (2a) and flagship devices from major OEMs. The attack surface isn't shrinking.

Research like Check Point's is pushing the industry to take DSP security more seriously. But we're still relying on a handful of elite researchers to find these bugs before malicious actors do. That's not a security strategy. That's luck with good PR.

If you're carrying a phone with a MediaTek chip right now and your security patches are current, you're fine. This specific vulnerability was patched years ago. But if your phone stopped receiving updates, that's a different conversation entirely.

Here's my prediction: the next major mobile security scare won't come from the application processor or the operating system. It'll come from the growing number of co-processors (DSPs, NPUs, ISPs) running their own firmware with their own attack surfaces, all far less scrutinized than Android itself. Check Point showed us the door. The question is whether the industry walks through it before someone with worse intentions does.