Android 5.0 screen recording Vulnerability, CVE-2 0 1 5-3 8 7 8 threat early warning-vulnerability warning-the black bar safety net

ID MYHACK58:62201567995
Type myhack58
Reporter 佚名
Modified 2015-10-18T00:00:00


The first Chapter exploits the principles of One, Android 5.0 new features Android 5.0 added screen recording interface, no special permissions, using the following system APIS to realize screen recording function: ! To initiate a recording request, the system POPs up the following message box requesting the user to confirm: ! In the above Figure, the“AZ Screen Recorder”of the need to record the screen of the software name,“will start capturing your screen on display all the content”is the system comes with the message, cannot be changed or deleted. The user clicks the“start immediately”will start recording the screen, the recording is completed in the specified directory to generate the mp4 file. Second, the vulnerability principle Start recording the screen before the system call MediaProjectionManager. createScreenCaptureIntent()to initiate a record request: Intent captureIntent = mMediaProjectionManager. createScreenCaptureIntent(); startActivityForResult(captureIntent, REQUEST_CODE); Method createScreenCaptureIntent returned with a result of the Intent to the application program, the application program then calls startActivityForResult to initiate the request. public Intent createScreenCaptureIntent() { Intent i = new Intent(); i. setClassName("com. android. systemui", "com. android. systemui. media. MediaProjectionPermissionActivity"); return i; } Method MediaProjectionPermissionActivity after receiving the request, the first access request to initiate the application package information: public void onCreate(Bundle icicle) { ... PackageManager packageManager = getPackageManager(); ApplicationInfo aInfo; try { aInfo = packageManager. getApplicationInfo(mPackageName, 0); mUid = aInfo. uid; } catch (PackageManager. NameNotFoundException e) { Log. e(TAG, "unable to look up package name", e); finish(); return; ...} Next, MediaProjectionPermissionActivity pop up the AlertDialog message box requesting the user to authorize the recording, the AlertDialog in the message request by the recording screen software name and“will start intercepting your On-Screen all content.” Of the two segments. public void onCreate(Bundle icicle) { ... String appName = aInfo. loadLabel(packageManager). toString(); ... final AlertController. AlertParams ap = mAlertParams; ap. mIcon = aInfo. loadIcon(packageManager); ap. mMessage = getString(R. string. media_projection_dialog_text, appName); ... Here the system does not correspond with the known length of the check, prompt the size of the box will change with the prompt content, the application name length is automatically adjusted when the application name is long enough,“will begin to intercept your On-Screen all content.” This prompt will no longer display in the AlertDialog in the visible range, resulting in mobile phone users just see a string the long application name, and did not see the system really want to prompt the user of the“software to record screen”such important information. Using this vulnerability, an attacker would only need to give a malicious program constructed a special section, read up a“reasonable”application name, you can use the prompt box into a UI trap, so that it loses the original“record screen authorization”prompts, and malicious programs without the user's knowledge to record user's mobile phone screen. Chapter II use and prevention A, exploits We for a Bank client for Android prepared a vulnerability test demo, the analog to“steal”a user ID and password process. Test demo names are as follows: name="app_name">xx Bank Client notes:\n1, do not in public places use online banking, to prevent others from peeking at your password.\ n2, not in Internet cafes, libraries, etc. on the public network using online banking, to prevent others from installing the monitor program or Trojan horse to steal account and password.\ n3, each time you use online banking after the timely exit.\ n4, in other channels such as ATM withdrawals, self-service terminal sign-on, transaction, note the password input protection measures to prevent others through video and other ways to steal your account and password.\ n5, never to others to reveal your username, password or any Personally Identifiable Information.\ n6, if your personal data has any changes, such as, contact details, address, etc. changes, please promptly through the banking system to modify the relevant information.\ n7, periodically review your transactions, check account statements.\ n8, you encounter any doubt or problem, please contact me line“9 5 5 5 5-Unified National customer service phone”. Click the“Start”button to continue execution \t\t\t\t\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\naaa

[1] [2] next