A vulnerability that allows malicious applications to capture screen contents and record audio without a user’s knowledge impacts over 78% of Android devices, researchers claim.
The issue is caused by the MediaProjection service introduced by Google in the Android Framework on Android 5.0. This service allows applications to capture the screen or record audio without special permissions, by simply requesting access via an Intent.
Prior to Android 5.0, an application would either have to run with root privileges or be signed with the device’s release keys to use system protected permissions to capture screen contents, MWR Labs security researchers explain. With the introduction of MediaProjection, no permissions are required in the AndroidManifest.xml to use the service.
When an application requires access to this system Service, a SystemUI pop-up is displayed to warn the user that the program wants to capture the screen. According to MWR, however, an attacker could overlay the SystemUI pop-up with an arbitrary message meant to trick the user into granting the malicious app the ability to capture the screen.
“This vulnerability would allow an attacker to capture the user’s screen should the user tap of the SystemUI pop-up that has been overlayed by the attacker with an arbitrary message,” the security researchers explain in a security advisory (PDF).
MWR also explains that it is difficult to determine which applications use the MediaProjection service, given that there are no permission requirements. Furthermore, the researchers claim that the vulnerability is severe because the SystemUI pop-up is launched within the context of the attacker’s application, meaning that the app can detect it and draw the overlay without the user noticing.
“The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect partially obscured SystemUI pop-ups. This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges,” the researchers argue.
Because the SystemUI pop-up is the only access control mechanism meant to prevent malicious applications from abusing the MediaProjection service, an attacker could also bypass the mechanism by tapjacking the pop-up using publicly available methods.
The vulnerability has been addressed in Android 8.0, but version fragmentation within the Android ecosystem means that there are a great deal of devices that will never receive a patch, thus remaining vulnerable. It’s unclear whether patches will be released for older Android iterations as well, MWR says.
As of November 9, 2017, vulnerable platform releases (Android 5.0 to Android 7.1) are running on 78.7% of Android devices out there.
The good news is that the attack is not entirely undetectable: “when an application gains access to the MediaProjection service, it generates a Virtual Display which activates the screencast icon in the notification bar,” the researchers explain.
Application developers can defend against this attack by enabling the FLAG_SECURE layout parameter via the application’s WindowManager. Thus, the contents of applications are treated as secure and won’t appear in screenshots.
MWR reported the issue to Google in January this year. The Internet giant assessed the vulnerability as High risk and released Android 8.0 with a patch for it, but hasn’t provided information on patches for Android 7.1.2 to 5.0 as of now, the researchers reveal.