New Android Vulnerability Tricks Users Into Recording Their Screen

We may earn a commission for purchases made using our links.

Android is on billions of devices worldwide, and new vulnerabilities are discovered every day. Now, an exploit discovered by MWR InfoSecurity details how applications in Android versions between 5.0 and 7.1 can trick users into recording screen contents without their knowledge.

It involves Android’s MediaProjection framework, which launched with 5.0 Lollipop and gave developers the ability to capture a device’s screen and record system audio. In all Android versions prior to 5.0 Lollipop, screen-grabbing applications were required to run with root privileges or had to be signed with special keys, but in newer versions of Android, developers don’t need root privileges to use the MediaProjection service and aren’t required to declare permissions.

Normally, an application that uses the MediaProjection framework requests access to the service via an intent, which Android presents to the user as a SystemUI pop-up. MWR InfoSecurity discovered that an attacker could overlay a normal SystemUI pop-up with a decoy to trick the user into granting the application screen-recording permissions. The reason? Android versions newer than 5.0 Lollipop are unable to detect SystemUI pop-ups that are partially obscured.

This vulnerability has currently only been patched in Android 8.0 Oreo, the report states, and because a majority of Android smartphones aren’t running the latest version of Android, it remains a serious risk. Approximately 77.5% of active Android devices are vulnerable to the attack as of October 2, according to MWR InfoSecurity.

There’s no short-term solution to the upgrade problem — that’s on phone manufacturers. In the meantime, though, Android developers can defend against the attack by enabling the FLAG_SECURE layout parameter via their application’s WindowManager, which ensures that the content of the application windows are treated as secure and prevents them from appearing in screenshots or from being viewed on non-secure displays.

On the user-facing side of things, MWR InfoSecurity adds that this attack is not completely undetectable. The report states:

“When an application gains access to the MediaProjection Service, it generates a Virtual Display which activates the screencast icon in the notification bar. Should users see a screencast icon in their devices notification bar, they should investigate the application/process currently running on their devices.”

The moral of the story? Be careful about which apps you download.