If your Android smartphone has Lolipop, Nougat or Marshmallow, then there is every reason for you to feel alarmed because the MediaProjection service can be exploited due to a critical flaw. The service is designed to capture user’s screen and record system audio. Since a majority of Android devices nowadays have these three versions of the OS, therefore, around 77.5% of the Android devices are at risk.
Android’s MediaProjection service has existed since long, but apps needed root access and signed up with the release keys of the device in order to use the service. This is why the use of this service is limited to system level apps only.
But when Android Lolipop 5.0 was released, Google made this service open to everyone but did not secure it with the requirement of permission from the users. Now, the apps can access this service through an intent call that would display SystemUI prompt warning users when the app would capture the screenshot and record system audio, noted BleepingComputer.
Researchers at MWR Labs opine that [PDF] an attacker can detect when this prompt would be shown and the trigger an arbitrary prompt and the content would be disguised with another message using a technique called tap-jacking. Android malware developers have relied upon this particular technique for years, and still, it works.
“To use the MediaProjection service, an application would simply have to request access to this system Service via an Intent. Access to this system Service is granted by displaying a SystemUI pop-up that warns the user that the requesting application would like to capture the user’s screen,” explained MWR researchers.
The reason why this vulnerability is threatening is that the affected android versions cannot identify obscured SystemUI pop-ups allowing an attacker to create an app that draws an overlay upon the pop-up and elevate the privileges of the app. This would let the attacker capture user’s screen.
Android Smartphones Plagued with Bug that Lets Attacker Capture Screen and Record Audio
Since the SystemUI pop-up is currently the only access control method that can prevent the exploitation of MediaProjection service, therefore, an attacker can use tap-jacking to bypass the method and get the permission of capturing the screen.
The attack won’t stay undetected for long, claims researchers at MWR in their latest report, since the captured screenshot will produce an icon that will be displayed on the notification bar. Same would be the case when an attacker records the audio.
Google claims that the bug has been patched in its latest release Android Oreo 8.0, but the previous versions are still vulnerable.