Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Screen/Audio Capture Vulnerability Impacts Lion’s Share of Android Devices

A vulnerability that allows malicious applications to capture screen contents and record audio without a user’s knowledge impacts over 78% of Android devices, researchers claim.

A vulnerability that allows malicious applications to capture screen contents and record audio without a user’s knowledge impacts over 78% of Android devices, researchers claim.

The issue is caused by the MediaProjection service introduced by Google in the Android Framework on Android 5.0. This service allows applications to capture the screen or record audio without special permissions, by simply requesting access via an Intent.

Prior to Android 5.0, an application would either have to run with root privileges or be signed with the device’s release keys to use system protected permissions to capture screen contents, MWR Labs security researchers explain. With the introduction of MediaProjection, no permissions are required in the AndroidManifest.xml to use the service.

When an application requires access to this system Service, a SystemUI pop-up is displayed to warn the user that the program wants to capture the screen. According to MWR, however, an attacker could overlay the SystemUI pop-up with an arbitrary message meant to trick the user into granting the malicious app the ability to capture the screen.

“This vulnerability would allow an attacker to capture the user’s screen should the user tap of the SystemUI pop-up that has been overlayed by the attacker with an arbitrary message,” the security researchers explain in a security advisory (PDF).

MWR also explains that it is difficult to determine which applications use the MediaProjection service, given that there are no permission requirements. Furthermore, the researchers claim that the vulnerability is severe because the SystemUI pop-up is launched within the context of the attacker’s application, meaning that the app can detect it and draw the overlay without the user noticing.

“The primary cause of this vulnerability is due to the fact that affected Android versions are unable to detect partially obscured SystemUI pop-ups. This allows an attacker to craft an application to draw an overlay over the SystemUI pop-up which would lead to the elevation of the application’s privileges,” the researchers argue.

Because the SystemUI pop-up is the only access control mechanism meant to prevent malicious applications from abusing the MediaProjection service, an attacker could also bypass the mechanism by tapjacking the pop-up using publicly available methods.

The vulnerability has been addressed in Android 8.0, but version fragmentation within the Android ecosystem means that there are a great deal of devices that will never receive a patch, thus remaining vulnerable. It’s unclear whether patches will be released for older Android iterations as well, MWR says.

As of November 9, 2017, vulnerable platform releases (Android 5.0 to Android 7.1) are running on 78.7% of Android devices out there.

The good news is that the attack is not entirely undetectable: “when an application gains access to the MediaProjection service, it generates a Virtual Display which activates the screencast icon in the notification bar,” the researchers explain.

Application developers can defend against this attack by enabling the FLAG_SECURE layout parameter via the application’s WindowManager. Thus, the contents of applications are treated as secure and won’t appear in screenshots.

MWR reported the issue to Google in January this year. The Internet giant assessed the vulnerability as High risk and released Android 8.0 with a patch for it, but hasn’t provided information on patches for Android 7.1.2 to 5.0 as of now, the researchers reveal.

Related: Android Malware Exploits Recently Patched ‘Toast’ Flaw

Related: Android Malware Exploits Dirty COW Vulnerability

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.