The Indonesian Police, the Cyber Division of the Polda Metro Jaya asked the public to be wary of cellphones (HP) from China with Mediatek chipset technology. Because cellphones with chip technology were found to be prone to fake payments.
Quoted from CNBC Indonesia, according to the police, the vulnerability in question can be used to disable mobile payment mechanisms, and even fake transactions via Android installed on the device. However, the police did not specify the brand of the cellphone in question, only mentioning the code N9T and N11.
The increasing vulnerability in Chinese cellphones with MediaTek chips is said to occur due to a lack of control on the old version. As a result, these weaknesses appear and can be used by hackers to carry out their actions.
Report from Check Point Research
The vulnerability was discovered after a search conducted by Check Point Research (CPR), a research company based in the United States (US).
CPR stated that the cellphone brand in question was the Xiaomi brand. Where is a series of vulnerabilities in Xiaomi applications that are responsible for managing device security and mobile payments, which are used by millions of users around the world.
As written by CPR research quoted on its official website “In this report, CPR (Mobile) researchers analyze the payment system installed on Xiaomi smartphones powered by MediaTek chips, which are very popular in China”.
CPR discovered vulnerabilities in its review that allow payment fraud or disable payment systems directly, from non-privileged Android apps.
CPR said that its research focused on trusted applications from MediaTek-enabled devices. The test device used is the Xiaomi Redmi Note 9T 5G with MIUI Global OS 188.8.131.52.”
As a result, non-privileged Android apps can exploit the CVE-2020-14125 vulnerability to execute code in trusted wechat apps and fake payment plans.
After the disclosure by CPR, this vulnerability was patched by Xiaomi in June 2022.
Additionally, CPR shows how a downgrade vulnerability in Xiaomi’s trusted execution environment (TEE) can enable older versions of the wechat app to steal private keys. This read vulnerability has also been patched and fixed by Xiaomi following the disclosure of research from CPR to the company.***