Since Android 5.0 Lollipop, there exists a new MediaProjection API that allows apps to record videos and take screenshots of other apps. The feature brought screen-capturing and screen-sharing capabilities to Lollipop with a new ‘createVirtualDisplay()’ method that allowed apps “to capture the contents of the main screen (the default display) into a Surface object, which your app can then send across the network”. While the service was technically present in Android from the start, apps originally needed root access to use it; a requirement that was done away with from Android 5.0.

However, while apps require a special permission to use the MediaProjection API, no such permission is needed to use the platform features, which is something that now seems to have rendered about 77.5% of Android devices worldwide vulnerable to an attack that reportedly exploits this loophole to surreptitiously capture users’ screen and record system audio. Affected Android versions include Lollipop (both 5.0 and 5.1), Marshmallow and Nougat. Google has patched up the vulnerability in Android Oreo.

In the affected versions of Android, apps don’t need any specific permission to use the MediaProjection service, and can, instead, request access to it through a SystemUI popup to inform the user about its intent to capture screenshots or record system audio. The problem, however, is that apps can detect when this SystemUI warning is about to pop up, allowing rogue apps to superimpose a fake text on top of the SystemUI warning, thereby fooling unsuspecting users into allowing their screens or audio to be recorded without knowing what they are agreeing to. Unfortunately, affected Android versions are unable to detect partially-hidden SystemUI pop-ups, leaving users potentially vulnerable to serious privacy breaches.

Example of the screencast notification. (Image Courtesy: MWR InfoSecurity)

Known as ‘Tap-jacking’ in security parlance, this serious design flaw in Android was discovered last winter by security researchers from MWR Labs. According to the team behind the discovery, cyber-criminals can “trivially bypass this mechanism by using tapjacking this pop-up using publicly known methods to grant their applications the ability to capture the user’s screen”. Thankfully, though, users will receive a heads-up whenever any app tries to access the MediaProjection service to record audio or screenshots, so do watch out for the screencast icon on the notification bar  (as seen above) if you suspect any rogue activity on your device.