Multiple releases of Android are compromised. Namely Lolipop, Mashmallow and Nougat. They are vulnerable to a bug that exploits the MediaProjection service that enables attackers to capture the user’s screen and record system audio.
It has been estimated that there is a high percentage of users using the above mentioned distributions of Android which would be roughly 77.5% of Android devices in the market which has the Android MediaProjection Service.
The culprit to this issue is MediaProjection which is an Android service that has been designed to capture screen contents and record system audio.
The said feature has existed ever since the early stages of the Android development. However, in the past, before it can be utilized, the apps needs root access and needs to be signed with the device’s release keys. In layman’s terms, it originally was available for use by system-level apps deployed by the Android OEM’s.
Things have gone a long way since then. When the Android Lollipop (5.0) was released, Google eventually opened the service to anyone and did not put this service behind a permission which the apps would require from users before it can be used. This User interfacing design flaw basically opened Android users to a window for attackers to capitalize.
Without the root-level access that it required before, applications would only need to request access to this service via an “intent call”, and in turn would show a SystemUI pop-up that warned the user when an app wanted to capture his screen and system audio.
Security researches from MWR Labs had discovered last winter that an attacker could detect when this SystemUI pop-up would appear. With this information, attackers could mask it by triggering and arbitrary pop-up that goes on top of it and disguise its text with another message instead.
Android malware developers have utilized this technique called tap-jacking for years.
“The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect a partially obscured SystemUI pop-ups,” the MWR team explained in a report published last week.
“This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges that would allow it to capture the user’s screen.”
“Furthermore, the SystemUI pop-up is the only access control mechanism available that prevents the abuse of the MediaProjection service. An attacker could trivially bypass this mechanism by using tap-jacking this pop-up using publicly known methods to grant their applications the ability to capture the user’s screen,” experts added.
Google patched bug in Android Oreo only
With the latest release of Android Oreo (8.0), Google has already patched up this vulnerability. Unfortunately, older versions still remain unpatched and vulnerable.
This time the issue is not as silent as other attacks since the screencast icon will still appear in the user’s notification back whenever an attacker will be using the service to record audio or capture the screen as shown below.
Before they discovered the MediaProjection bug, the MWR researches were participants in the Mobile Pwn2Own security contest where they found bugs in Huawei and Samsung smartphones.
Last year, the MWR team discovered a severe cross-site request forgery (CSRF) bug that allowed hackers to steal money from several Monero wallets.