MediaProjection bug

Android smartphones running Lolipop, Marshmallow, and Nougat, are vulnerable to an attack that exploits the MediaProjection service to capture the user's screen and record system audio

Based on the market share of these distributions, around 77.5% of all Android devices are affected by this vulnerability.

Vulnerability resides in Android MediaProjection service

To blame is MediaProjection, an Android service that is capable of capturing screen contents and record system audio.

This service existed in Android since its inception, but to use it, apps needed root access, and they had to be signed with the device's release keys. This restricted the use of MediaProjection only to system-level apps deployed by Android OEMs.

With the release of Android Lolipop (5.0), Google opened this service to anyone. The problem is that Google didn't put this service behind a permission that apps could require from users.

UI design flaw opens Android users to attacks

Instead, applications only had to request access to this highly intrusive system service via an "intent call" that would show a SystemUI popup that warned the user when an app wanted to capture his screen and system audio.

Sometime last winter, security researchers from MWR Labs discovered that an attacker could detect when this SystemUI popup would appear. By knowing when this popup appears, attackers could then trigger an arbitrary popup that showed on top of it and disguised its text with another message.

The technique is called tap-jacking and has been used by Android malware devs for years.

"The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect a partially obscured SystemUI pop-ups," the MWR team explained in a report published last week.

"This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges that would allow it to capture the user’s screen."

"Furthermore, the SystemUI pop-up is the only access control mechanism available that prevents the abuse of the MediaProjection service. An attacker could trivially bypass this mechanism by using tapjacking this pop-up using publicly known methods to grant their applications the ability to capture the user’s screen," experts added.

Google patched bug in Android Oreo only

Google has patched this vulnerability in the Android OS this fall, with the release of Android Oreo (8.0). Older Android versions remain vulnerable.

However, researchers said the attack is not 100% silent, as the screencast icon will appear in the user's notification bar whenever an attacker would be recording audio or capturing the screen.

Android screencast icon

This is not the first major Android vulnerability that came to light this year. Previous research includes the Cloak & Dagger attack, the Toast Overlay attack, and the Broadpwn bug (also affecting iOS).

Prior to discovering the MediaProjection bug, MWR researchers participated in the Mobile Pwn2Own security contest where they found bugs in Huawei and Samsung smartphones.

Last year, the MWR team discovered a severe cross-site request forgery (CSRF) bug that allowed hackers to steal money from several Monero wallets.