Researchers have discovered a design flaw in Android that can be used to remotely capture screenshots or record audio… without the user’s knowledge or consent.
The attack relies on the MediaProjection service in Android, which has these extensive capabilities, and was made available for the use of non-propriety apps since Android version 5.0 (Lollipop). While apps are required to receive the user’s permission to use this service, the new attack uses a screen overlay tactic to deceive them into granting it unknowingly.
At the time of publication, Google has only fixed the issue in Android version 8.0 (Oreo), leaving Android versions 5.0, 6.0 and 7.0, which account for roughly 77.5% of Android devices, vulnerable.
How the Vulnerability Operates
Unlike other permission requests in Android, such as access to contacts or location, the MediaProjection service does not have a dedicated permission window for the user to grant access. Instead, when an app attempts to use it, a different window appears, called a SystemUI popup. As the researchers discovered, an app can detect when this window is about to appear, and display a crafted message of its own which will cover the SystemUI popup and persuade the user to grant the permission to the sensitive MediaProjection service, unaware of the scheme.
Once the app gained the necessary permissions, it can then record the device’s screen and audio, making it the ultimate spying tool. The attack is not completely covert however, as a notification of the recording activity will appear in the notification bar, though most users are not likely to understand its true meaning.
The second part of the attack consists of a screen overlay tactic, often called “clickjacking”, which is a very common method used by mobile malware, especially banking malware and ransomware. While Google has made significant effort to mitigate this tactic, it is still a successful way to deceive users and gain their credentials.
Why This Is a Problem
This is not the first time such a design flaw has been discovered. As we wrote in the past, the Android Accessibility service, which is meant to help users with disabilities, was abused to grant attackers extensive permissions by using a similar tactic of displaying a fake overlay page.
While researchers also initially discovered this flaw, malware was soon spotted using it in the wild for their own malicious purposes. The main problem with vulnerabilities that originate in inherent design flaws is that they are usually much harder to get rid of.
On the one hand, Google does not want to eradicate the use of the service altogether, but on the other, it clearly cannot allow the same architecture to operate. Since the Android Operating System is complex, and the services are intrinsic and crucial for many processes, it is hard to adapt the code so that it is both secure and allows for an agile operation.
How To Stay Protected
To stay secure from both the recent attack discovered, and from the wide landscape of mobile malware, users should use advanced security measures capable of detecting and blocking any attempt to display a fake overlay window or conduct any malicious activity by using dynamic analysis and ascertaining the context of the activity.