Android Bug Lets Attackers Record Audio & Screen Activity on 3 of 4 Smartphones

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Android smartphones running Lolipop, Marshmallow, and Nougat, are vulnerable to an attack that exploits the MediaProjection service to capture the user's screen and record system audio


Based on the market share of these distributions, around 77.5% of all Android devices are affected by this vulnerability.


Vulnerability resides in Android MediaProjection service
To blame is MediaProjection, an Android service that is capable of capturing screen contents and record system audio.

This service existed in Android since its inception, but to use it, apps needed root access, and they had to be signed with the device's release keys. This restricted the use of MediaProjection only to system-level apps deployed by Android OEMs.

With the release of Android Lolipop (5.0), Google opened this service to anyone. The problem is that Google didn't put this service behind a permission that apps could require from users.

UI design flaw opens Android users to attacks
Instead, applications only had to request access to this highly intrusive system service via an "intent call" that would show a SystemUI popup that warned the user when an app wanted to capture his screen and system audio.

Sometime last winter, security researchers from MWR Labs discovered that an attacker could detect when this SystemUI popup would appear. By knowing when this popup appears, attackers could then trigger an arbitrary popup that showed on top of it and disguised its text with another message.

The technique is called tap-jacking and has been used by Android malware devs for years.
"The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect a partially obscured SystemUI pop-ups," the MWR team explained in a report published last week.


"This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges that would allow it to capture the user’s screen."

Google patched bug in Android Oreo only

Google has patched this vulnerability in the Android OS this fall, with the release of Android Oreo (8.0). Older Android versions remain vulnerable.
However, researchers said the attack is not 100% silent, as the screencast icon will appear in the user's notification bar whenever an attacker would be recording audio or capturing the screen.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top