Android smartphones are in a danger zone right now. Smartphones operating on Lolipop, Marshmallow, and Nougat, are vulnerable to an attack that exploits the MediaProjection service to capture the user’s screen and record system audio. This is a recent study based on the market share of these distributions, which states that around 77.5% of all Android devices are affected by this vulnerability.

Vulnerability detected in Android MediaProjection service:

 Media Projection, i.e. an Android Service should be put to blame at the primary level for capturing screen contents and recording the audio system.

This service had been with Android since its birth, but for its usage apps needed the root access, and they also had to be signed with the device’s release keys. This further restricted the use of MediaProjection only to system-level apps deployed by Android OEMs.

Again, with the release of Android Lolipop (5.0), Google opened up this service for everyone. The problem is that Google didn’t put this service behind a permission that apps could require from users.

UI design flaws increase the chances of attacks to Android users:

Now, applications only had to request the access to this highly intrusive system service via an “intent call” that would show a SystemUI popup that warned the user when an app wanted to capture his screen and system audio.

In the recent past, security researchers from MWR Labs discovered that an attacker could detect when this SystemUI popup would appear. So, by knowing when this popup appears, attackers could then trigger an arbitrary popup that showed on top of it and disguised its text with another message.

This Technique is termed as tap-jacking and has been used by Android malware devices for years.

In a recent report published by the MWR team, they explained that “The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect a partially obscured SystemUI pop-ups. This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges that would allow it to capture the user’s screen. Furthermore, the SystemUI pop-up is the only access control mechanism available that prevents the abuse of the MediaProjection service. An attacker could trivially bypass this mechanism by using tapjacking this pop-up using publicly known methods to grant their applications the ability to capture the user’s screen”.

Google patched bug in Android Oreo only:

Google has patched this vulnerability in the Android OS this fall, with the release of Android Oreo (8.0). Also, the older Android versions remain vulnerable.

However, researchers have regarded that the attack is not 100% silent, as the screen-cast icon will appear in the user’s notification bar whenever an attacker would be recording audio or capturing the screen.

Android Bug
Image Credit: Bleeping Computer

To conclude, last year, the MWR team has also discovered a severe cross-site request forgery (CSRF) bug that has allowed hackers to steal money from several Monero wallets.