There are over three quarters or more Android phones that are susceptible to screen and audio recording attacks by hackers. To execute such attacks, hackers will exploit the MediaProtection service where an attacker can easily trick a user into giving necessary permissions to a malware-laden app.
Even though this vulnerability has been resolved for Android 8 Oreo users, the vulnerability still remains a threat to Android Lollipop, Marshmallow or Nougat users. By design, MediaProtection is able to capture screen activity as well as audio and although it does have its legitimate users, using a technique called as tap-jacking permission on this vulnerability can make it as a tool for doing nefarious activities.
According to a report by Bleeping Computer, the MediaProtection service relies on the “intent call” pop-ups in informing users that their audio or screen will be recorded. On the other hand, according to security researchers from MWR Labs, the pop-ups could be disguised as something entirely different through overlaying some text on top of them so that users won’t know what the pop-up really is. Through this technique, it is most likely that hackers will disguise these malicious pop-ups as something to be innocent or some system-generated pop-up when in reality, it grants access to malicious apps to monitor their devices.
Here are some parts of the report released by the MWR Labs:
“To use the MediaProjection service, an application would simply have to request access to this system Service via an Intent. Access to this system Service is granted by displaying a SystemUI pop-up that warns the user that the requesting application would like to capture the user’s screen.
It was discovered that an attacker could overlay this SystemUI pop-up which warns the user that the contents of their screen would be captured, with an arbitrary message to trick the user into granting the attacker’s application the ability to capture the user’s screen.”
It would be really hard to determine whether an app is going to make use of the MediaProjection service or not, and that’s the problem with this service as it is not reliant on permission. MWR Labs pointed out that there are over 77.5 percent of active Android devices that still remains to be vulnerable to screen and audio recording attacks despite the fact that Android Oreo has patched the vulnerability – after all there are still Android Lollipop, Marshmallow or Nougat that needs to be patched to make sure that all Android users will no longer be potential targets to any screen or audio recording attacks.
Obviously, the only fix available as of the moment is an upgrade for Android Oreo users, and as for older versions of Android, the patch is yet to come so there won’t be any fix for everyone anytime soon. MWR Labs also gave advice to users who are using older versions of Android:
“However, this attack is not entirely undetectable. When an application gains access to the MediaProjection Service, it generates a Virtual Display which activates the screencast icon in the notification bar. Should users see a screencast icon in their devices notification bar, they should investigate the application/process currently running on their devices.”