Android with headphones
An Android MediaProjection service exploit could allow an attacker to record a person's screen and audio. abhishek nigam/Pexels

The vast majority of Android smartphones in use today are vulnerable to an exploit that would allow a hacker to hijack the smartphone and record system audio and a person’s on-screen activity, according to MWR Labs.

Android smartphones and tablets running a number of versions of the operating system including Lollipop, Marshmallow, and Nougat have been found to be vulnerable to the attack—meaning more than 77 percent of all Android devices are at risk.

The vulnerability stems from an Android service called MediaProjection, which provides the ability to capture on-screen action and record system audio. The service, which has been present in the Android operating system since its original iteration, is used for any number of legitimate purposes but was opened up to be exploited in more recent versions of Android.

Prior to the launch of Android Lollipop, (version 5.0 of the operating system) in order for an app to make use of MediaProjection, it needed to have root access to the device. In the more recent versions of Android, the restriction on access to the MediaProjection service was lifted, allowing any app to use it—and to do so without having to first gain permission from the user.

In place of the root access requirement or the standard Android permission structure, apps that intended to use MediaProjection would have to request access through system service that produces a pop-up that informs users the app wants to capture the screen and system audio.

Typically such a message would catch a user’s eye, but security researchers discovered that an attacker could program the app to detect when the pop up would appear on screen and counter it by creating its own pop up that displayed other text on top of the system message.

The technique, called “tap-jacking” would trick the user into agreeing to have their screen and system audio recorded because they never saw the actual warning—just the innocuous text created by the attackers to hide the Android system pop-up.

The researchers warned that the affected versions of Android are unable to detect when a system-served pop-up message is being obscured by another message. Because that warning was the only mechanism for users to prevent an app from using MediaProjection—there is no way to change the settings to prevent the service from being used—it is easy for a malicious attacker to perform invasive activities without the user’s knowledge.

“The SystemUI pop-up is the only access control mechanism available that prevents the abuse of the MediaProjection service,” the security researchers wrote. “An attacker could trivially bypass this mechanism by using tapjacking this pop-up using publicly known methods to grant their applications the ability to capture the user’s screen.”

There is some good news for Android users regarding the potentially invasive attack: the company fixed the permission structure for MediaProjection in Android Oreo (version 8.0) to prevent attackers from exploiting it. The bad news is that older versions of the operating system won’t be getting an update to fix the vulnerability, meaning users are on their own to defend against it.

For Android users who remain vulnerable to the attack, it is possible to catch an app in the action of recording the screen by keeping an eye on the notification bar. If an app is recording audio or screen activity, a screencast icon will appear on the bar.