[Update 3: Launch Date] OPPO teases its smartwatch with a square design

Update 2 (03/02/2020 @ 5:00 PM ET): OPPO will unveil the OPPO Watch, the company’s first smartwatch, alongside the Find X2 on March 6th.

Update 2 (02/26/2020 @ 06:40 AM ET): We now have another look at the upcoming OPPO smartwatch.

Update 1 (02/18/2020 @ 10:50 AM ET): OPPO’s Brian Shen has shared another image of the upcoming OPPO Watch.

At last year’s OPPO Inno Day event in China, the company confirmed that it will be launching a variety of new products in Q1 2020. The company revealed that following the launch of the Reno3 and Reno3 Pro 5G, it will be bringing a new smartwatch, smart wireless headphones, a 5G hub, and AR glasses to the market. At the time, OPPO had been teasing a new smartwatch for a while and the company’s VP, Head of Research, Levin Liu, also confirmed that the upcoming OPPO smartwatch will be unveiled in Q1 2020. As expected, OPPO has now released the first teaser of the upcoming smartwatch which showcases its Apple-watch like square design.

The teaser in question was recently shared by OPPO’s VP Shen Yiren on Weibo, who now goes by the name ‘Confident eyebrows’ on the platform. The image showcases a square smartwatch with rounded corners and a slightly curved display. The watch has a gold-colored case with two buttons on the right edge and a cream-colored watchstrap. The design is undeniably inspired by the Apple Watch, much like the Xiaomi Mi Watch from last year, to the point that even the wallpaper in the teaser looks like something straight from the Apple’s collection.

As of now, OPPO has released no technical information about the upcoming smartwatch. However, the company did talk about having the “technological know-how” to enable eSIM support at the Inno Day event, which leads us to believe that the smartwatch will most likely feature eSIM support.

Source: Weibo

---

Update: New Image

Here’s another look at the forthcoming OPPO Watch. The curved screen and 3D glass will be a game changer. pic.twitter.com/ozbl9BXNZq

— Brian Shen (@BrianShenYiRen) February 17, 2020

The last teaser of the OPPO Watch showed off the square display with curved edges, two side buttons, gold finish, and the overall Apple Watch-like design. Today, Brian Shen has shared a new image of the watch, this time focusing on the curved screen and 3D glass. In the tweet, he claims it will be a “game-changer.” Looking beyond the marketing-speak, however, there doesn’t appear to be anything unique about this design. The new image also appears to show a leather watchband, compared to the previous image that featured a silicone band. It’s hard to tell from the image, but this one looks to be silver.

---

Update 2: Another look at the upcoming OPPO smartwatch

Another render of the OPPO smartwatch was leaked, further highlighting its screen curve, Apple Watch-like design and software.

The Settings UI does not look like Android Wear OS, so it is possible that this could be a custom OS. However, the leaker does mention that the watch runs on “Android system, not a large bracelet” (rough translation), which implies that it is indeed an Android-based smartwatch and not just a smart fitness tracker.

Source: Weibo

---

Update 3: Launch Date

It’s time to say hello to #OPPOWatch.

Unveiled at the #OPPOFindX2 Launch Event March 6, 10.30am CET. pic.twitter.com/IwbOJnHoyg

— OPPO (@oppo) March 2, 2020

OPPO has announced that the OPPO Watch will be unveiled at the Find X2 event. The Find X2 was originally slated to be announced at MWC, but after the show was canceled, they rescheduled the event for March 6th. We will likely see more announcements at the event as well.

The post [Update 3: Launch Date] OPPO teases its smartwatch with a square design appeared first on xda-developers.

from xda-developers https://ift.tt/316YCRx
via IFTTT

[Update: Fixed in March Update] How to fix charging and end call sounds on the Google Pixel after the Android 10 update

Update (3/2/20 @ 4:50 PM ET): The Pixel 2‘s missing charging/end call sound bug has been fixed in the March 2020 update.

With the Android 10 update, some owners of the first and second-generation Google Pixel smartphones noticed that several UI sounds were different. For example, some users noticed that the end call and screen locking tones were missing while others noticed that the charging sound was different. If you have noticed this weird behavior on your Pixel after updating to Android 10 and are wondering what might possibly be the reason, we have the answer — as well as the solution.

As it turns out, the culprit seems to be the relocation of the system sound files. On Android 9 Pie and before, Google used to store UI‌ sounds such as docking/undocking sounds and screen locking sounds in /product/media/audio directory. That changed with Android 10, which has moved the sounds to a new location: /system/media/audio. The problem is Android 10 on the Pixel and Pixel 2 thinks the UI sounds are still in the old directory. As a result, when the system tries to access sounds from this old location and can’t locate the files, Android falls back to the older UI sounds embedded in framework-res.

According to XDA Member co4, you can easily fix this issue by tweaking the preference of the Global system settings. To do so set up ADB on your PC, connect your Pixel or Pixel 2 and run the following commands from the command prompt or Windows PowerShell.

adb shell settings put global car_dock_sound /system/media/audio/ui/Dock.ogg
adb shell settings put global car_undock_sound /system/media/audio/ui/Undock.ogg
adb shell settings put global desk_dock_sound /system/media/audio/ui/Dock.ogg
adb shell settings put global desk_undock_sound /system/media/audio/ui/Undock.ogg
adb shell settings put global lock_sound /system/media/audio/ui/Lock.ogg
adb shell settings put global low_battery_sound /system/media/audio/ui/LowBattery.ogg
adb shell settings put global trusted_sound /system/media/audio/ui/Trusted.ogg
adb shell settings put global unlock_sound /system/media/audio/ui/Unlock.ogg
adb shell settings put global wireless_charging_started_sound /system/media/audio/ui/ChargingStarted.ogg  

These commands will change the path for each UI‌ sound from /product/media/audio to /system/media/audio, making sure the system is now looking under the correct location when requesting system sounds.

There’s no need to reboot the device after running the above ADB commands. Note that this issue shouldn’t affect the Google Pixel 3, Pixel 3a, or Pixel 4 because in the firmware for these three devices, the UI sounds are already located in /product/media/audio. It only affects Pixel and Pixel 2 owners who had performed a clean install of Android 10 i.e. by flashing the Android 10 system image. If you updated from Android Pie to Android 10 with the official OTA, you should be fine — as long as you don’t perform a factory reset.

---

Update: Fixed in March Update

The March 2020 update that was released earlier today has fixed a weird issue that cropped up earlier this year. The missing lock and unlock sound effects have finally returned according to several users on Reddit. This was a strange bug and we’re glad it has finally been addressed.

Via: Reddit

The post [Update: Fixed in March Update] How to fix charging and end call sounds on the Google Pixel after the Android 10 update appeared first on xda-developers.

from xda-developers https://ift.tt/2rYjayh
via IFTTT

Verizon will carry Motorola’s flagship phone, the Motorola Edge+

Verizon is one of the biggest companies pushing 5G here in the U.S. They have several 5G-capable smartphones in their lineup and have continued to light up their mmWave 5G network in more cities. Last week, the company was demonstrating its mmWave 5G network speeds when they spilled the beans that they will be carrying an upcoming Motorola phone with 5G, which should be the Motorola Edge+.

The press release was about the company achieving 4.2 Gbps on its 5G network, but they also mentioned an upcoming Motorola phone. Verizon didn’t share many details, other than it is “powered by the Qualcomm Snapdragon 865 Mobile Platform with the Snapdragon X55 5G Modem-RF System.” Earlier this month, we shared photos of the upper mid-range sibling of the Motorola device with these specifications.

Motorola confirmed late last year that they would be releasing a phone with the Snapdragon 865. We believe this device could be called the “Motorola One 2020” when it’s released internationally, but we now know it will be called the Motorola Edge+ when it launches on Verizon. It will be the company’s first true flagship since the Moto Z3, and our Editor-in-Chief Mishaal Rahman has more information about it.

Motorola Edge+ logo. This is Motorola’s first flagship since the Moto Z3.

-Snapdragon 865
-6.67″ 2340×1080 curved 90Hz display
-Verizon/ROW
-Over 5000mAh (5170?) battery
-Up to 12GB RAM pic.twitter.com/l5vfMqX8P8

— Mishaal Rahman (@MishaalRahman) February 25, 2020

The Edge+ will have the aforementioned Qualcomm Snapdragon 865 SoC, a 6.67-inch 2340 x 1080 “waterfall” display with a 90Hz refresh rate, up to 12GB of RAM, and a battery over 5,000 mAh. These specifications certainly put the device in the flagship market where it will compete with the likes of the Galaxy S20.

Verizon did not share any information about when we can expect to see this 5G Motorola phone, but we’d guess it won’t be long from now. What do you think of this flagship Motorola phone? Are you ready to give the Motorola Edge+ a chance?

The post Verizon will carry Motorola’s flagship phone, the Motorola Edge+ appeared first on xda-developers.

from xda-developers https://ift.tt/3an6mSJ
via IFTTT

How Monthly Android Security Patch Updates Work

Google has been publishing monthly security bulletins since August of 2015. These security bulletins contain a list of disclosed security vulnerabilities that have been fixed which affect the Android framework, Linux kernel, and other closed-source vendor components. Every vulnerability in the bulletins was either discovered by Google or disclosed to the company. Every vulnerability listed has a Common Vulnerabilities and Exposures (CVE) number, along with associated references, the type of vulnerability, a severity assessment, and the AOSP version affected (if applicable). But despite the seemingly simplistic process behind how Android security patches work, there’s actually a somewhat complicated back-and-forth behind the scenes that allows for your phone to get monthly or (hopefully) near-monthly patches.

What actually makes a security patch?

You may have noticed that every month, there are actually two security patch levels. The format of these patches is either YYYY-MM-01 or YYYY-MM-05. While the YYYY and MM obviously represent the year and month respectively, the “01” and “05” confusingly does not actually signify the day of the month in which that security patch level was released. Instead, the 01 and 05 are actually two different security patch levels released on the same day every month – the patch level with 01 at the end contains fixes to the Android framework but not vendor patches or upstream Linux kernel patches. Vendor patches, as we defined above, refer to fixes to closed-source components such as drivers for Wi-Fi and Bluetooth. The security patch level signified by -05 contains these vendor patches as well as patches in the Linux kernel. Take a look at the table below which may help in understanding.

Monthly Security Patch Level	2019-04-01	2019-04-05
Contains April Framework Patches	Yes	Yes
Contains April Vendor + Kernel Patches	No	Yes
Contains March Framework Patches	Yes	Yes
Contains March Vendor + Kernel Patches	Yes	Yes

Of course, some OEMs may opt to roll their own patches and updates into security updates as well. Most OEMs have their own take on Android, so it only makes sense that you may have, for example, a vulnerability on a Samsung phone that doesn’t exist on a Huawei. A lot of these OEMs also publish their own security bulletins.

• Google Pixel
• Huawei
• LG
• Motorola
• HMD Global
• Samsung

The timeline of a security patch from Google to your phone

Security patches have a timeline roughly spanning about 30 days, though not every OEM can avail of the full length of that timeline. Let’s take a look at the May 2019 security patch for example, and we can break down the entire timeline behind the creation of this patch. Companies like Essential manage to get out their security updates on the same day as the Google Pixel, so how do they do it? The short and simple answer is that they’re an Android partner. The May 2019 security bulletin was published on the 6th of May, with both the Google Pixels and the Essential Phone getting near-immediate updates.

What it means to be an Android Partner

Not just any company can be an Android Partner, though admittedly basically every major Android OEM is. Android Partners are the companies that are granted a license to use the Android branding in marketing material. They are also allowed to ship Google Mobile Services (GMS – refers to pretty much all Google services) so long as they meet the requirements outlined in the Compatibility Definition Document (CDD) and pass the Compatibility Test Suite (CTS), Vendor Test Suite (VTS), Google Test Suite (GTS), and a few other tests. There are distinct differences in the security patch process for companies that aren’t an Android Partner.

• Android framework patches are available to them after being merged into AOSP 1-2 days before the security bulletin is released.
• Upstream Linux kernel patches can be cherry-picked once available.
• Fixes from SoC vendors for closed-source components are available depending on agreements with the SoC vendor. Note that if the vendor has given the OEM access to the source code of the closed-source component(s), then the OEM can fix the issue(s) themselves. If the OEM does not have access to the source code, then they must wait for the vendor to issue a fix.

If you are an Android Partner, you immediately have it a whole lot easier. Android partners are notified of all Android framework issues and Linux kernel issues at least 30 days before the bulletin is made public. Google provides patches for all issues for OEMs to merge and test, though vendor component patches are dependent on the vendor. Patches for the Android framework issues disclosed in the May 2019 security bulletin, for example, were provided to Android partners at least as early as March 20th, 2019*. That’s a lot of extra time.

*Note: Google can, and often does, update the patches for the latest security bulletin all the way until the public release. These updates can happen if new vulnerabilities and bugs have been found, if Google decides to remove certain patches from the monthly bulletin due to it breaking critical components, if Google updates a patch to resolve a bug created by the previous version of the patch, and other reasons.

Why do I need to wait so long to receive a security patch on my phone?

While it’s true that Android Partners (read: all major OEMs) received security patches well in advance of their release, many are painfully aware that they possibly won’t receive a security update for months after its release. This is generally down to one of four reasons.

• OEMs may need to make heavy technical changes in order to accommodate a security patch, as it may conflict with existing code.
• The vendor is slow at providing update source-code for closed-source components.
• Carrier certification may take time.
• Companies may be unwilling to release a security update without also releasing a feature at the same time.

While all of these are valid reasons for a business not to release a security patch, the end-user doesn’t always care about any of those. Admittedly, the end-user doesn’t always care about security patches either, though they should. Initiatives like Project Treble, extended Linux LTS, and Project Mainline are helping to eliminate the technical difficulties of merging these security patches, but it’s not enough to make OEMs consistently strive to put out updates. With a Generic Kernel Image, or GKI, SoC vendors and OEMs will have an easier time merging upstream Linux kernel patches, though we likely won’t see the first devices with GKI until next year.

But an interesting piece of information that most don’t know is that major OEMs must provide “at least four security updates” within a year of a device’s launch, and 2 years of updates overall. Google has not confirmed these specific terms, but the company did confirm that they “worked on building security patching into [their] OEM agreements”. As for Android Enterprise Recommended (AER) devices, devices are required to get security updates within 90 days of release for 3 years. Rugged AER devices are required to get 5 years of security updates. Android One devices are supposed to get security updates every month for 3 years.

What’s in a security patch?

A security patch is just another update, though generally a lot smaller with changes to individual frameworks and system modules rather than system-wide improvements or changes. Each month, Google provides device OEMs with a zip file that contains patches for all major Android versions currently still supported, along with a security test suite. This test suite helps OEMs catch gaps in security patches, to ensure that they don’t miss anything and that the patches were merged appropriately. As the month goes on, Google may make minor revisions such as deciding that one specific patch is optional, specifically if there are troubles implementing it.

What about custom ROMs?

If your smartphone doesn’t get many security updates, that doesn’t necessarily mean you’re better off switching to a custom ROM. While true that you will get security updates that you would not have gotten otherwise, that’s only half of the story. Unlocking your bootloader leaves you susceptible to physical attacks on your device, even if on the software side, security is hardened. That’s not to say you shouldn’t use custom ROMs, it’s just that there are other concerns when it comes to using them that don’t apply if your bootloader is kept locked. If you’re more worried about the software side of things, then you’re still better off with a custom ROM that gets frequent security patches.

But remember we talked about the difference between YYYY-MM-01 and YYYY-MM-05 patches? The -05 patch level contains Linux kernel patches as well as vendor patches – patches applied to closed-source software. This means custom ROM developers are at the mercy of whatever OEM they’re developing for, and if the OEM releases update blobs or not. This is fine for devices that are still updated by the manufacturer, but for devices that aren’t, the patches applied can only be applied to the Android framework and the Linux kernel. This is why LineageOS‘ Trust Interface shows two security patch levels – one being platform, the other being vendor. Even though custom ROMs for unsupported devices can’t fully integrate all of the latest patches, they’re going to be more secure than the older, outdated ROM.

The post How Monthly Android Security Patch Updates Work appeared first on xda-developers.

from xda-developers https://ift.tt/38dexPX
via IFTTT

New Pixel Feature Drop adds Dark Mode Scheduling, Cards & Passes to Power Menu, and more

Two months after announcing the Pixel 4, Google announced the first Pixel Feature Drop. Instead of rolling out major new features individually, Google decided to wait to unveil new features and drop them all at hence in the same update. Hence, Pixel “Feature Drop.” The first one only added a few features such as auto-framing in Google Duo, post-snap Portrait Mode in Google Photos, and automatic call screen in the Google Phone app, but the second Feature Drop is adding a dozen new features. Here’s a chart from Google that lists the new features arriving on Pixel devices with the March update:

You might be already familiar with many of these features since we’ve either documented them in the Android 11 Developer Preview or manually enabled them ahead of release. If you aren’t familiar, though, here’s a summary to get you up to speed:

• Cards & Passes: This feature lets you quickly access your debit or credit cards, event tickets, boarding passes, or any other cards stored in Google Pay, simply by pressing and holding the power button. The feature will be available to users in the following countries: U.S., U.K., Canada, Australia, France, Germany, Spain, Italy, Ireland, Taiwan, and Singapore. On Pixel 4, you can also quickly access your emergency contacts and medical information stored in the “Personal Safety” app. For non-Pixel owners, this feature will arrive in Android 11 as “Quick Access Wallet.”
• Screenshot a boarding pass to add it to Google Pay: This does exactly what it says it’ll do. Simply take a screenshot of a boarding pass with the barcode showing, and then you can add the boarding pass to Google Pay by tapping on the notification that’s shown. Google Pay will then give you real-time updates on your flight, and on the day of departure, you can quickly pull up your boarding pass by long-pressing the power button to show the Cards & Passes menu. Oddly, this feature isn’t available on the Pixel 2 or Pixel 2 XL even though both devices support Cards & Passes. For the Pixel 3, Pixel 3a, and Pixel 4, the feature will gradually become available in all countries where Google Pay is available, so long as you’re on the March Pixel Feature Drop update.
• Tap to pause with Motion Sense: You can now pause and resume music playback on Pixel 4 by doing a “tap” gesture above the phone. This feature was first added to Motion Sense in the Android 11 Developer Preview, but it’s good to see it show up in the Pixel Feature Drop since few people are on the Developer Preview.
• Dark theme scheduling: One of the best new features in the Android 11 Developer Preview is the ability to schedule the dark theme. This feature is now available for all Pixel devices in the March Pixel Feature Drop, though it’s not as robust as the feature in Android 11. While you can schedule dark theme to coincide with the day/night cycle, you can’t customize the time for when you want to toggle dark mode.
• Rules: This is a new feature that lets you automate when you want your phone to enter Do Not Disturb mode, be silent, vibrate for notifications, or alert you for notifications. You can set triggers based on the Wi-Fi network or physical location. The feature has already started rolling out to most Pixel users.
• Emojis 12.1 Update: Google has added 169 new emoji to choose from, many of which have variations in gender and skin tones to be more accommodating.
• Duo AR Effects: During a live video call, you can show augmented reality characters that react to your facial expression and move with you around the screen. To use effects during a call, tap the menu button and then “Effects” to choose an effect. This feature isn’t available for the Pixel 2 or Pixel 3a as it might be too computationally intensive for these devices.
• Better selfies: On Pixel 4, the front-facing camera can now create images with depth, improving Portrait Mode and color pop. (The Pixel 4 only has a single front-facing camera unlike the Pixel 3 with its secondary wide-angle camera.) You can now create 3D Photos in Facebook using the single camera on Pixel 4, though this feature is broadly rolling out to devices with single cameras. To enable this feature, open the Google Camera app and go to Settings > Advanced > Social Media Depth Features.
• Car crash detection: Google is rolling out car crash detection, a feature in the Personal Safety app that detects when you’re in a motor vehicle accident and alerts emergency services if you’re unresponsive, to more areas. In addition to the United States, car crash detection is now available for Pixel 4 users in Australia and the United Kingdom with the latest Pixel Feature Drop update. Although the feature is still only officially available for Pixel 4 owners, the Personal Safety APK from the Android 11 Developer Preview can be sideloaded onto other Pixel devices to enable the feature.
• Live caption: This feature transcribes audio being played back on your phone and displays the transcriptions as floating captions on-screen. This feature debuted on the Pixel 4, came to the Pixel 3 and Pixel 3a in the first Pixel Feature Drop, and landed on the Pixel 2 for many users with an update to the Device Personalization Services app. If you haven’t gotten the feature yet, then it should definitely arrive in the March update. Live caption is still limited to English and also doesn’t work with music, phone calls, or VOIP.
• Long press improvements: According to Google, the Pixel Launcher will have “improved long press options.” Google says that “you can now firmly press to get more help from your apps more quickly.” We aren’t sure exactly what has changed here, but it sounds like Google is making use of the “Deep Press” API introduced in Android 10. Google trained an ML model to recognize when the user is pressing more forcefully on the screen. If that sounds like Apple’s now-abandoned Force Touch, then that’s exactly what they’re aiming for.
• Adaptive brightness improvements: One of the flaws of the Pixel 4 is how disappointingly dim the display gets when you’re using the phone outdoors. We found out that Google wasn’t using the Pixel’s High Brightness Mode for outdoor use even though it can massively improve sunlight visibility. In the new Pixel Feature Drop, Google has updated Adaptive Brightness on the Pixel 4 so your screen brightness temporarily increases in extremely bright ambient lighting (like under direct sunlight).
• Increased touch sensitivity: This feature wasn’t documented by Google in their official blog post, but XDA Senior Member cstark27 informed us that the “increase touch sensitivity” option is no longer exclusive to the Android 11 Developer Preview. This feature improves touch sensitivity, which could be useful if you’re wearing gloves. For Pixel 4 owners on the latest March update, you’ll find the new toggle in Display settings.

That’s all the information that Google shared in their official blog post announcing the second Pixel Feature Drop as well as the announcement thread on the Pixel support forums. Here’s a short video showing off the key features of this big update:

The post New Pixel Feature Drop adds Dark Mode Scheduling, Cards & Passes to Power Menu, and more appeared first on xda-developers.

from xda-developers https://ift.tt/32NogeH
via IFTTT

March 2020 security patches rolling out with fixes for Pixel devices

Today is the first Monday in March, a relatively uneventful day in most cases. In the technology world, however, the first Monday of a new month means new Android security updates. The March 2020 Android security patches include the usual bevy of fixes along with some specific fixes for Pixel devices. The update is rolling out now for the Pixel 4, Pixel 4 XL, Pixel 3a, Pixel 3a XL, Pixel 3, Pixel 3 XL, Pixel 2, and Pixel 2 XL.

This month’s Android security update includes quite a few “notable fixes and improvements.” There’s something for every Pixel from the Pixel 2 all the way up the Pixel 4. There are a few fixes specific to Camera, Face Unlock, and Motion Sense on the Pixel 4 series. Google has also announced the second “Feature Drop” with new features for Pixel devices. Check out the chart below to see what fixes are in tow for your Pixel.

Build Numbers

• Pixel 2 (XL): QQ2A.200305.002
• Pixel 3 (XL): QQ2A.200305.002
• Pixel 3a (XL): QQ2A.200305.002
• Pixel 4 (XL):
  • Global: QQ2A.200305.003
  • AT&T: QQ2A.200305.004.A1

Download Factory Images | Download OTA Images

Android Security Bulletin | Pixel Update Bulletin

The post March 2020 security patches rolling out with fixes for Pixel devices appeared first on xda-developers.

from xda-developers https://ift.tt/39isVb9
via IFTTT

Critical MediaTek rootkit affecting millions of Android devices has been out in the open for months

On the first Monday of every month, Google publishes the Android Security Bulletin, a page that discloses all the security vulnerabilities and their patches submitted by Google themselves or other third-parties. Today was no exception: Google just made public the Android Security Bulletin for March 2020. One of the vulnerabilities that are documented in the latest bulletin is CVE-2020-0069, a critical security exploit, specifically a rootkit, that affects millions of devices with chipsets from MediaTek, the large Taiwanese chip design company. Although the March 2020 Android Security Bulletin is seemingly the first time that CVE-2020-0069 has been publicly disclosed, details of the exploit have actually been sitting openly on the Internet—more specifically, on the XDA-Developers forums—since April of 2019. Despite MediaTek making a patch available a month after discovery, the vulnerability is still exploitable on dozens of device models. Even worse, the vulnerability is actively being exploited by hackers. Now MediaTek has turned to Google to close this patch gap and secure millions of devices against this critical security exploit.

The Origin of MediaTek-su

For any readers who aren’t familiar with XDA-Developers, we’re a site that’s home to the largest forums for Android software modifications. Usually, these modifications center around attaining root access on devices in order to delete bloatware, install custom software, or tweak default system parameters. Amazon’s Fire tablets are popular targets for hobbyist hackers on our forums—they’re full of uninstallable bloatware, lack access to basic software applications like the Google Play Store, and, most importantly, are very cheap. The challenge with rooting Amazon Fire tablets is that they’re heavily locked down to prevent users from stepping outside of Amazon’s walled garden; Amazon does not provide an official method to unlock the bootloader of Fire tablets, which is usually the first step in rooting any given Android device. Therefore, the only way to root an Amazon Fire tablet (without hardware modifications) is to find an exploit in the software that allows the user to bypass Android’s security model. In February of 2019, that’s exactly what XDA Senior Member diplomatic did when he published a thread on our Amazon Fire tablet forums. What he didn’t immediately realize is that he stumbled upon an exploit that was far wider in scope than just Amazon’s Fire tablets.

After a bit of testing from XDA Member diplomatic and other community members, it was discovered that this exploit works on a large number of MediaTek chips. The author states that the exploit works on “virtually all of MediaTek’s 64-bit chips,” and they specifically name the following as being vulnerable: MT6735, MT6737, MT6738, MT6739, MT6750, MT6753, MT6755, MT6757, MT6758, MT6761, MT6762, MT6763, MT6765, MT6771, MT6779, MT6795, MT6797, MT6799, MT8163, MT8167, MT8173, MT8176, MT8183, MT6580, and MT6595. Because of how many MediaTek chipsets were affected by this exploit, the exploit was given the name “MediaTek-su,” or “MTK-su,” for short. On April 17th, 2019, diplomatic published a second thread titled “Amazing Temp Root for MediaTek ARMv8” on our “Miscellaneous Android Development” forum. In this thread, he shared a script that users can execute to grant them superuser access in shell, as well as set SELinux, the Linux kernel module that provides access control for processes, to the highly insecure “permissive” state. For a user to get root access and set SELinux to permissive on their own device is shockingly easy to do: All you have to do is copy the script to a temporary folder, change directories to where the script is stored, add executable permissions to the script, and then execute the script.

The simple steps to get root access using MediaTek-su. Source: XDA Senior Member Diplomatic

XDA community members confirmed the exploit worked on at least the following devices:

Devices the community confirmed were exploitable by MediaTek-su

1. Acer Iconia One 10 B3-A30
2. Acer Iconia One 10 B3-A40
3. Alba tablet series
4. Alcatel 1 5033 series
5. Alcatel 1C
6. Alcatel 3L (2018) 5034 series
7. Alcatel 3T 8
8. Alcatel A5 LED 5085 series
9. Alcatel A30 5049 series
10. Alcatel Idol 5
11. Alcatel/TCL A1 A501DL
12. Alcatel/TCL LX A502DL
13. Alcatel Tetra 5041C
14. Amazon Fire 7 2019 — up to Fire OS 6.3.1.2 build 0002517050244 only
15. Amazon Fire HD 8 2016 — up to Fire OS 5.3.6.4 build 626533320 only
16. Amazon Fire HD 8 2017 — up to Fire OS 5.6.4.0 build 636558520 only
17. Amazon Fire HD 8 2018 — up to Fire OS 6.3.0.1 only
18. Amazon Fire HD 10 2017 — up to Fire OS 5.6.4.0 build 636558520 only
19. Amazon Fire HD 10 2019 — up to Fire OS 7.3.1.0 only
20. Amazon Fire TV 2 — up to Fire OS 5.2.6.9 only
21. ASUS ZenFone Max Plus X018D
22. ASUS ZenPad 3s 10 Z500M
23. ASUS ZenPad Z3xxM(F) MT8163-based series
24. Barnes & Noble NOOK Tablet 7″ BNTV450 & BNTV460
25. Barnes & Noble NOOK Tablet 10.1″ BNTV650
26. Blackview A8 Max
27. Blackview BV9600 Pro (Helio P60)
28. BLU Life Max
29. BLU Life One X
30. BLU R1 series
31. BLU R2 LTE
32. BLU S1
33. BLU Tank Xtreme Pro
34. BLU Vivo 8L
35. BLU Vivo XI
36. BLU Vivo XL4
37. Bluboo S8
38. BQ Aquaris M8
39. CAT S41
40. Coolpad Cool Play 8 Lite
41. Dragon Touch K10
42. Echo Feeling
43. Gionee M7
44. HiSense Infinity H12 Lite
45. Huawei GR3 TAG-L21
46. Huawei Y5II
47. Huawei Y6II MT6735 series
48. Lava Iris 88S
49. Lenovo C2 series
50. Lenovo Tab E8
51. Lenovo Tab2 A10-70F
52. LG K8+ (2018) X210ULMA (MTK)
53. LG K10 (2017)
54. LG Tribute Dynasty
55. LG X power 2/M320 series (MTK)
56. LG Xpression Plus 2/K40 LMX420 series
57. Lumigon T3
58. Meizu M5c
59. Meizu M6
60. Meizu Pro 7 Plus
61. Nokia 1
62. Nokia 1 Plus
63. Nokia 3
64. Nokia 3.1
65. Nokia 3.1 Plus
66. Nokia 5.1
67. Nokia 5.1 Plus/X5
68. Onn 7″ Android tablet
69. Onn 8″ & 10″ tablet series (MT8163)
70. OPPO A5s
71. OPPO F5 series/A73 — Android 8.x only
72. OPPO F7 series — Android 8.x only
73. OPPO F9 series — Android 8.x only
74. Oukitel K12
75. Protruly D7
76. Realme 1
77. Sony Xperia C4
78. Sony Xperia C5 series
79. Sony Xperia L1
80. Sony Xperia L3
81. Sony Xperia XA series
82. Sony Xperia XA1 series
83. Southern Telecom Smartab ST1009X (MT8167)
84. TECNO Spark 3 series
85. Umidigi F1 series
86. Umidigi Power
87. Wiko Ride
88. Wiko Sunny
89. Wiko View3
90. Xiaomi Redmi 6/6A series
91. ZTE Blade A530
92. ZTE Blade D6/V6
93. ZTE Quest 5 Z3351S

With the exception of MediaTek-based phones from Vivo, Huawei/Honor (after Android 8.0+), OPPO (after Android 8.0+), and Samsung, XDA community members found that MediaTek-su works more often than not when attempted on devices with affected chipsets. According to XDA Member diplomatic, Vivo, Huawei/Honor, OPPO, and Samsung devices “use kernel modifications to deter root access via exploits,” which means the developer would need to dig into the kernel source code of these devices to create “tailored version[s]” of the exploit. That wasn’t worth the added effort, so the developer chose not to add support for these devices even though, “in theory,” the exploit could still work.

By now, it should be clear that this exploit affects a large number of devices on the market. MediaTek chips power hundreds of budget and mid-range smartphone models, cheap tablets, and off-brand set-top boxes, most of which are sold without the expectation of timely updates from the manufacturer. Many devices still affected by MediaTek-su are thus unlikely to get a fix for weeks or months after today’s disclosure, if they get one at all. So what makes MediaTek-su earn its “Critical” severity with a CVSS v3.0 score of 9.3?

Why MTK-su is a Critical Security Vulnerability

To reiterate, the typical way to achieve root access on an Android device is to first unlock the bootloader, which disables verification of the boot partition. Once the bootloader is unlocked, the user can introduce a superuser binary to the system and also a superuser management app to control which processes have access to root. Unlocking the bootloader is intentionally disabling one of the key security features on the device, which is why the user has to explicitly allow it to happen by typically enabling a toggle in Developer Options and then issuing an unlock command to the bootloader. With MediaTek-su, however, the user does not have to unlock the bootloader to get root access. Instead, all they have to do is copy a script to their device and execute it in shell. The user isn’t the only one that can do this, though. Any app on your phone can copy the MediaTek-su script to their private directory and then execute it to gain root access in shell. In fact, XDA Member diplomatic highlights this possibility in their forum thread when they suggest an alternative set of instructions using either the Terminal Emulator for Android app or Termux rather than ADB.

With root access, Android’s security model basically falls apart. For example, permissions become meaningless in the context of root as an app with access to a root shell can grant itself any permission it wants. Furthermore, with a root shell, the entirety of the data partition—including files stored in the typically inaccessible private data directories of applications—is accessible. An app with root can also silently install any other app it wants in the background and then grant them whatever permissions they need to violate your privacy. According to XDA Recognized Developer topjohnwu, a malicious app can even “inject code directly into Zygote by using ptrace,” which means a normal app on your device could be hijacked to do the bidding of the attacker. These examples only touch on a few ways that an app can violate your trust in the background without your knowledge. However, malicious apps can wreak havoc on your device without hiding what they’re doing. Ransomware, for example, is extremely potent with root access; if you don’t pay up, a hypothetical ransomware app could totally and irreversibly make your device inoperable by wiping the entire device clean.

The only “weakness” in MediaTek-su is that it grants an application just “temporary” root access, which means that a process loses superuser access after a device reboot. Furthermore, on devices running Android 6.0 Marshmallow and above, the presence of Verified Boot and dm-verity block modifications to read-only partitions like system and vendor. However, these two factors are mostly only hindrances to modders on our forums rather than malicious actors. To overcome the limitation of temporary root, a malicious app can simply re-run the MediaTek-su script on every boot. On the other hand, there’s little need to overcome dm-verity as permanent modifications to the system or vendor partitions are unlikely to interest most malware authors; after all, there are already tons of things a malicious app can do with a root shell.

If you’re wondering on a technical level what MediaTek-su is exploiting, MediaTek shared the below chart with us that summarizes the entry point. The flaw apparently exists in one of MediaTek’s Linux Kernel drivers called “CMDQ.” The description states that, “by executing IOCTL commands in [the] CMDQ device node,” a local attacker can “arbitrarily read/write physical memory, dump [the] kernel symbol table to the pre-allocated DMA buffer, [and] manipulate the DMA buffer to modify the kernel settings to disable SELinux and escalate to ‘root’ privilege.”

MediaTek’s Security Vulnerability Summary of CVE-2020-0069

According to the chart that MediaTek shared with us, this vulnerability affects MediaTek devices with Linux Kernel versions 3.18, 4.4, 4.9, or 4.14 running Android versions 7 Nougat, 8 Oreo, or 9 Pie. The vulnerability is not exploitable on MediaTek devices running Android 10, apparently, since “the access permission of CMDQ device nodes is also enforced by SELinux.” This mitigation likely comes from an update to MediaTek’s BSP rather than from Android itself. Android 10’s only mitigation for this vulnerability is its restriction on apps executing binaries in their home directory; however, as XDA Recognized Developer topjohnwu notes, a malicious app can simply run the MediaTek-su code in a dynamic library.

Even though MediaTek has patched this issue in all the affected chipsets, they can’t force device makers to implement the patches. MediaTek told us they had patches ready all the way back in May of 2019. Amazon, unsurprisingly, immediately patched the issue across its devices once they were made aware. However, 10 months have passed since MediaTek made a fix available to its partners, yet in March of 2020, dozens of OEMs haven’t fixed their devices. Most of the affected devices are on older Android releases with outdated Android Security Patch Levels (SPLs), and the update situation is even worse when you consider the hundreds of lesser-known device models using these MediaTek chips. MediaTek has a serious issue on its hands here, so they’ve turned to Google for help.

Unlike MediaTek, Google can force OEMs to update their devices through license agreements or program terms (such as Android One). For an OEM to declare that a device is in compliance with the 2020-03-05 Security Patch Level (SPL), the device must include all framework, Linux kernel, and applicable vendor driver fixes in the March 2020 Android Security Bulletin, which includes a fix for CVE-2020-0069, or MediaTek-su. (Google doesn’t actually seem to enforce that OEMs actually merge all patches when declaring a certain SPL, though.) Now that the March 2020 bulletin is out, this story should be over, right? Unfortunately, we have to also hold Google’s feet to the fire for dragging their feet on incorporating the patches.

The flaw in the security patch process

In case it isn’t clear already, not every security vulnerability needs to end up in an Android Security Bulletin. Many vulnerabilities are discovered and patched by vendors without them ever showing up in the monthly bulletin. MediaTek-su should have been one of them, but for multiple reasons, several OEMs failed to integrate the patches offered by MediaTek. (There are a lot of potential reasons why, ranging from a lack of resources to business decisions to a failure in communication.) When I previously stated that MediaTek “turned to Google” for help, it implied that MediaTek actively sought help from Google to get OEMs to finally fix their devices. However, that might not actually have been the case. It is my understanding that Google was unaware of MediaTek-su until it was incidentally brought up in a security report from TrendMicro published January 6th, 2020. In the report, TrendMicro was documenting another security vulnerability, dubbed the “use-after-free in binder driver” vulnerability, that was actively being exploited in the wild. TrendMicro noted how three malicious apps attained root access using one of two methods, either the “use-after-free in binder driver” vulnerability or MediaTek-su.

Alleged Play Store apps abusing MediaTek-su. Source: TrendMicro.

In the code that TrendMicro shared, we can clearly see how the malicious apps were targeting specific device models (eg. Nokia 3, OPPO F9, and Redmi 6A) and employing MediaTek-su on them.

I can’t speak for TrendMicro, but it seems that they were unaware that MediaTek-su was a yet-unpatched exploit. Their focus was on the “use-after-free in binder driver” exploit, after all, and the discovery of the use of MediaTek-su seems to have been an afterthought. (I’m sure that if TrendMicro were aware of the situation surrounding MediaTek-su, they would have coordinated their disclosure efforts with Google.) We were only made aware of this exploit ourselves on February 5th, 2020, and after investigating for ourselves how bad it was, we contacted Google about it on February 7th, 2020. Google was so concerned about the repercussions of publicizing MediaTek-su that they asked us to hold off on publishing this story until today. After considering the irreparable harm that can be inflicted on users targeted by malware using MediaTek-su, we agreed to put a hold on this story until the announcement of the March 2020 Android Security Bulletin. Still, considering how long it’ll take many devices to get the latest security update, if they ever get it at all, there is bound to be a ton of devices still vulnerable to MediaTek-su a few months from now. That should be horrifying to anyone with a vulnerable device.

Even though this very serious, “critical” severity vulnerability is actively being exploited in the wild, Google only slotted in the fix for this issue into the March 2020 bulletin, which is about 2 months after they were made aware of the issue. While Google does inform its Android partners about the latest Android Security Bulletin a full 30 days before the bulletin is made public (ie. OEMs were made aware of what’s in the March 2020 bulletin in early February 2020), Google can, and often does, update the bulletin with changes or new fixes. Why Google didn’t choose to expedite the inclusion of a patch for such a serious issue is beyond me, especially when MediaTek had a fix for it 10 months ago. If such a bug were discovered in Apple’s devices, I have little doubt they would have issued a fix much, much faster. Google essentially banked on the risky bet that MediaTek-su would remain as seemingly low-profile as it already was until the March 2020 bulletin. While Google seems to have gotten lucky in that regard, we have no idea how many malware authors already know about the exploit. After all, it’s been sitting in a random XDA forum thread for nearly a whole year.

There’s one more party in this debacle that I haven’t addressed much, and it’s the author of the exploit, XDA Member diplomatic. To their credit, I don’t think they had any malicious intent in publishing MediaTek-su. We can clearly trace the exploit’s origin to diplomatic’s desire to mod the Amazon Fire tablets. Diplomatic tells me that their “main motivation for searching for a method like this was to help the community.” Customizing your device is what XDA is all about, and diplomatic’s efforts in the community are what people enjoy about the forums. Although diplomatic’s refusal to open source the project raises some concerns, they explain that they wanted the community to enjoy this “amazing temp root for MediaTek” project for as long as possible. When I first contacted diplomatic, they did admit that they were involved in some kind of “business transaction with the project’s source and research” that they insisted was “all legit.” While I was unable to get more details about this “business transaction,” I do wonder if diplomatic would have chosen to go this route if MediaTek offered a bug bounty program. I can’t imagine that a vulnerability of this magnitude wouldn’t pay out a hefty sum of money if MediaTek actually had such a program. Diplomatic claims that this exploit “has been possible since the days of MT6580” which was announced near the end of 2015, so one has to wonder if diplomatic is even the first person to find this exploit.

How to check if you’re affected by MediaTek-su?

If you want to check whether your device is vulnerable to MediaTek-su, then manually run the script posted by XDA Member diplomatic in this XDA forum thread. If you enter a root shell (you’ll know when the symbol changes from $ to #), then you’ll know the exploit works. If it works, then you’ll need to wait for the manufacturer of your device to roll out an update that patches MediaTek-su. If your device reports the Security Patch Level of 2020-03-05, which is the latest March 2020 SPL, then it is almost certainly protected against MediaTek-su. Otherwise, you’ll have to just check whether your device is vulnerable.

The post Critical MediaTek rootkit affecting millions of Android devices has been out in the open for months appeared first on xda-developers.

from xda-developers https://ift.tt/38mcfON
via IFTTT