Android MediaProjection Bug Lets Attackers Record Audio and Screen

Android Malware KK

Since Android 5.0 Lollipop, there exists a brand new MediaProjection API that permits apps to document movies and take screenshots of different apps. The function introduced screen-capturing and screen-sharing capabilities to Lollipop with a brand new ‘createVirtualDisplay()’ technique that allowed apps “to seize the contents of the primary display (the default show) right into a Floor object, which your app can then ship throughout the community”. Whereas the service was technically current in Android from the beginning, apps initially wanted root entry to make use of it; a requirement that was achieved away with from Android 5.0.

Nonetheless, whereas apps require a particular permission to make use of the MediaProjection API, no such permission is required to make use of the platform options, which is one thing that now appears to have rendered about 77.5% of Android units worldwide susceptible to an assault that reportedly exploits this loophole to surreptitiously seize customers’ display and document system audio. Affected Android variations embrace Lollipop (each 5.0 and 5.1), Marshmallow and Nougat. Google has patched up the vulnerability in Android Oreo.

Within the affected variations of Android, apps don’t want any particular permission to make use of the MediaProjection service, and might, as an alternative, request entry to it by way of a SystemUI popup to tell the consumer about its intent to seize screenshots or document system audio. The issue, nevertheless, is that apps can detect when this SystemUI warning is about to pop up, permitting rogue apps to superimpose a faux textual content on prime of the SystemUI warning, thereby fooling unsuspecting customers into permitting their screens or audio to be recorded with out understanding what they’re agreeing to. Sadly, affected Android variations are unable to detect partially-hidden SystemUI pop-ups, leaving customers doubtlessly susceptible to severe privateness breaches.

Android MediaProjection Bug Lets Attackers Record Audio and Screen Activity
Instance of the screencast notification. (Picture Courtesy: MWR InfoSecurity)

Generally known as ‘Faucet-jacking’ in safety parlance, this severe design flaw in Android was found final winter by safety researchers from MWR Labs. In response to the group behind the invention, cyber-criminals can “trivially bypass this mechanism through the use of tapjacking this pop-up utilizing publicly recognized strategies to grant their purposes the power to seize the consumer’s display”. Fortunately, although, customers will obtain a heads-up at any time when any app tries to entry the MediaProjection service to document audio or screenshots, so do be careful for the screencast icon on the notification bar  (as seen above) if you happen to suspect any rogue exercise in your system.