To reiterate, the typical way to achieve root access on an Android device is to first unlock the bootloader, which disables verification of the boot partition. Once the bootloader is unlocked, the user can introduce a superuser binary to the system and also a superuser management app to control which processes have access to root. Unlocking the bootloader is intentionally disabling one of the key security features on the device, which is why the user has to explicitly allow it to happen by typically enabling a toggle in Developer Options and then issuing an unlock command to the bootloader. With MediaTek-su, however, the user does not have to unlock the bootloader to get root access. Instead, all they have to do is copy a script to their device and execute it in shell. The user isn't the only one that can do this, though. Any app on your phone can copy the MediaTek-su script to their private directory and then execute it to gain root access in shell. In fact, XDA Member diplomatic highlights this possibility in their forum thread when they suggest an alternative set of instructions using either the Terminal Emulator for Android app or Termux rather than ADB.
The only "weakness" in MediaTek-su is that it grants an application just "temporary" root access, which means that a process loses superuser access after a device reboot. Furthermore, on devices running Android 6.0 Marshmallow and above, the presence of Verified Boot and dm-verity block modifications to read-only partitions like system and vendor. However, these two factors are mostly only hindrances to modders on our forums rather than malicious actors. To overcome the limitation of temporary root, a malicious app can simply re-run the MediaTek-su script on every boot. On the other hand, there's little need to overcome dm-verity as permanent modifications to the system or vendor partitions are unlikely to interest most malware authors; after all, there are already tons of things a malicious app can do with a root shell.
System Tweaker PRO [root] v5.0.1 [Paid] [Latest]
If you want to check whether your device is vulnerable to MediaTek-su, then manually run the script posted by XDA Member diplomatic in this XDA forum thread. If you enter a root shell (you'll know when the symbol changes from $ to #), then you'll know the exploit works. If it works, then you'll need to wait for the manufacturer of your device to roll out an update that patches MediaTek-su. If your device reports the Security Patch Level of 2020-03-05, which is the latest March 2020 SPL, then it is almost certainly protected against MediaTek-su. Otherwise, you'll have to just check whether your device is vulnerable. 2ff7e9595c
Comments