MediaProjection vulnerability leaves 77 percent of Android phones open to screen and audio recording attacks
More than three quarters of Android phones are vulnerable to screen and audio recording by attackers. By exploiting the MediaProjection service, an attacker can easily trick a user into granting the relevant rights to a malicious app.
Although the vulnerability has been fixed in Android 8 Oreo, users running Lollipop, Marshmallow or Nougat remain at risk. MediaProjection is -- by design -- able to capture screen activity and audio, and it does have legitimate uses, but by using a technique known as tap-jacking permission can be given for it to be used for more nefarious things.
As noted by BleepingComputer, the service relies on "intent call" popups to inform users that their screen or audio is going to be recorded. But security researchers from MWR Labs found that it was possible to disguise these popups as something different by overlaying text on top of them. In this way it would be possible to suggest to a user that they are clicking something innocent when they are, in reality, opening themselves up to surveillance.
A report by MWR Labs explains:
To use the MediaProjection service, an application would simply have to request access to this system Service via an Intent. Access to this system Service is granted by displaying a SystemUI pop-up that warns the user that the requesting application would like to capture the user's screen.
It was discovered that an attacker could overlay this SystemUI pop-up which warns the user that the contents of their screen would be captured, with an arbitrary message to trick the user into granting the attacker's application the ability to capture the user's screen.
The problem with MediaProjection is that it is not reliant on permission, making it hard to determine if an app is going to make use of the service. While Oreo patches the issue, MWR Labs points out that 77.5 percent of active Android devices remain vulnerable.
The only real fix at the moment is to upgrade to Oreo, but this is obviously not going to be an option for everyone. MWR Labs offers the following advice:
However, this attack is not entirely undetectable. When an application gains access to the MediaProjection Service, it generates a Virtual Display which activates the screencast icon in the notification bar. Should users see a screencast icon in their devices notification bar, they should investigate the application/process currently running on their devices.