Bug in Android
Specialists MWR Labs told (PDF) about a new, rather interesting vector of attacks on Android-devices. The researchers claim that their attack will work against gadgets running Lolipop, Marshmallow and Nougat, which is about 77.5% of all devices based on Android.
The key component of the attack is the service MediaProjection, which allows you to capture all that is happening on the screen, and record system audio. This service is present in Android from the very beginning, and earlier it was required to use root-access and special keys, that is, the use of media projection, as a rule, was limited to system applications created by the manufacturers themselves.
However, with the release of Android Lolipop (5.0), Google engineers abolished these restrictions by opening a service for everyone. Worse, to use MediaProjection, the application does not even need to ask the user for any rights.
Researchers explain that when accessing MediaProjection, the application notifies the user only via an intent call – a SystemUI notification that informs that the application intends to intercept the screen “picture” and system audio and request permission. Experts have found out that such a request is very easy to disguise if you know exactly when it will appear on the display and display another notification of SystemUI on top of it. A similar technique is called tapjacking, and criminals have been using it for many years.
“This vulnerability is caused by the fact that the affected versions of Android can not notice such fake notifications of SystemUI,” the researchers explain. “This allows the attacker to create an application that overlays overlays on top of SystemUI notifications, which will result in an escalation of application privileges and will allow the user to capture the image from the user’s desktop.”
As part of Android Oreo (8.0), released this fall, the problem described by experts was eliminated, but due to the huge fragmentation of the market, most devices still remain vulnerable. According to the researchers, the only consolation can be the fact that the attack is not completely “invisible”. So, during the recording of audio or all that is happening on the desktop in the notification panel, the corresponding icon will be displayed, which the user can see.