There’s another bug on Android that has been putting some of the OS’s integrity in question. Since this is another cybersecurity exploit problem, I’ll try to be as tactful and detailed as possible. Android smartphones running Lolipop, Marshmallow, and Nougat, are vulnerable to an attack that exploits the MediaProjection service to capture the user’s screen and record system audio.
The MediaProjection service is an Android service that is capable of capturing screen contents and record system audio. This service has been around since, well, the beginning of Android smartphones as we know it. However, the way to use it is to have Root Access to the device.
Besides that, users had to have the device’s release keys as well. So this wasn’t going to be accessible to just anyone and it limited the use of MediaProjection only to system-level apps deployed by Android OEMs.
Well, it turns out that since Android 5.0, Google decided to remove these safety features and widely opened the service. The problem is that Google didn’t put this service behind a permission that apps could require from users.
No, no, they only need to give a notification to the user through the SystemUI. The popup warned the user when an app wanted to capture their screen and system audio. By knowing when this popup appears, attackers could then trigger an arbitrary popup that showed on top of it and disguised its text with another message.
The technique has been infamously called “Tap Jacking” and has been used by Android Malware developers for years. “The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect a partially obscured SystemUI pop-ups,” the MWR team explained in a report published last week.
So far the only version of Android that has this issue patched up is the Oreo version (8.0). Every single one of the older Android versions remains vulnerable to this. Don’t worry though, while the attack is concerning, it’s not exactly subtle. The screencast icon will appear in the user’s notification bar whenever an attacker would be recording audio or capturing the screen.