Android Bug Lets Attackers Record Audio & Screen Activity [source: bleepingcomputer]
by CIRT Team
Android smartphones running Lolipop, Marshmallow, and Nougat, are vulnerable to an attack that exploits the MediaProjection service to capture the user’s screen and record system audio
Based on the market share of these distributions, around 77.5% of all Android devices are affected by this vulnerability.
Vulnerability resides in Android MediaProjection service
To blame is MediaProjection, an Android service that is capable of capturing screen contents and record system audio.
This service existed in Android since its inception, but to use it, apps needed root access, and they had to be signed with the device’s release keys. This restricted the use of MediaProjection only to system-level apps deployed by Android OEMs.
With the release of Android Lolipop (5.0), Google opened this service to anyone. The problem is that Google didn’t put this service behind a permission that apps could require from users.
UI design flaw opens Android users to attacks
Instead, applications only had to request access to this highly intrusive system service via an “intent call” that would show a SystemUI popup that warned the user when an app wanted to capture his screen and system audio.
Sometime last winter, security researchers from MWR Labs discovered that an attacker could detect when this SystemUI popup would appear. By knowing when this popup appears, attackers could then trigger an arbitrary popup that showed on top of it and disguised its text with another message.
The technique is called tap-jacking and has been used by Android malware devs for years.
“The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect a partially obscured SystemUI pop-ups,” the MWR team explained in a report published last week.
“This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges that would allow it to capture the user’s screen.”
“Furthermore, the SystemUI pop-up is the only access control mechanism available that prevents the abuse of the MediaProjection service. An attacker could trivially bypass this mechanism by using tapjacking this pop-up using publicly known methods to grant their applications the ability to capture the user’s screen,” experts added.
For more, click here.