A bug in Android allows you to record everything that's happening on the screen and record audio

Specialists MWR Labs told (PDF) about a new, rather interesting vector of attacks on Android-devices. The researchers claim that their attack will work against gadgets running Lolipop, Marshmallow and Nougat, which is about 77.5% of all devices based on Android.

The key component of the attack is the service MediaProjection, which allows you to capture all that is happening on the screen, and record system audio. This service is present in Android from the very beginning, and earlier it was required to use root-access and special keys, that is, the use of MediaProjection, as a rule, was limited to system applications created by the manufacturers themselves. However, with the release of Android Lolipop (5.0), Google engineers abolished these restrictions by opening a service for everyone. Worse, to use MediaProjection, the application does not even need to ask the user for any rights.

Researchers explain that when accessing MediaProjection, the application notifies the user only via an intent call - a SystemUI notification that informs that the application intends to intercept the screen "picture" and system audio and request permission. Experts have found out that such a request is very easy to disguise, if you know exactly when it will appear on the display and display another notification of SystemUI on top of it. A similar technique is called tapjacking, and criminals have been using it for many years.

"This vulnerability is caused by the fact that the affected versions of Android can not notice such fake notifications of SystemUI," the researchers explain. "This allows the attacker to create an application that overlays overlays on top of SystemUI notifications, which will result in an escalation of application privileges and will allow the user to capture the image from the user's desktop."

As part of Android Oreo (8.0), released this fall, the problem described by experts was eliminated, but due to the huge fragmentation of the market, most devices still remain vulnerable. According to the researchers, the only consolation can be the fact that the attack is not completely "invisible". So, during recording of audio or all that is happening on the desktop in the notification panel, the corresponding icon will be displayed, which the user can see.

https://exploit.in/2017/11329/


Comments


[11 Points] throwaway12-ffs:

Post in /r/hacking.. Nobody should be using markets with a cellphone anyways; don't think that was the message you were trying to get across with posting this on a darknet forum (hopefully not anyways), but it would make more sense there then here.


[1 Points] AlpraCream:

This one from last year still is still able to deanonymize you. As long as you are blocking scripts you are good.

https://www.bleepingcomputer.com/news/security/ultrasound-tracking-could-be-used-to-deanonymize-tor-users/


[1 Points] TheBookofTor:

This bug you are talking about is called ''Google'' and also ''Facebook''.

-sarcasm mode on-

But don't worry. Facebook claims that they are using this method only to show proper advertisement related to your chat and browsing history. Facebook does not work with FBI, so you are safe.

-sarcasm mode off-


[-4 Points] fuckmepelican:

Get u a iPhone broke nigga 😂💗