Simple Spyware: Androids Invisible Foreground Services and How to (Ab)use Them

Conference:  BlackHat EU 2019



With the releases of Android Oreo and Pie, Google introduced some background execution limits for Android apps [1],[2]. In order to save battery life and prevent sensor access, apps were restricted in how they were capable of executing background services. Apps were no longer allowed to run background services in idle state and therefore preventing apps from using the devices resources like the camera. These limitations however, would not affect so-called foreground services, because foreground services show a permanently visible notification to the user and could therefore be stopped by the user at any time. Our research found out that a flaw in the API exists, which allows to start invisible foreground services, making the introduced limitations useless. Foreground services do not show any visual notification when the execution time of the service is shorter than five seconds. Using this and combining it with another flaw in Androids Job Scheduler API allows to constantly execute arbitrary tasks from a background context. This allows apps to use the resources of the device, even when the app is closed, or the device is in stand-by. Furthermore, we can prove that these flaws can be abused for constantly spying on the user and allowing malware developers to create spyware without the need of complicated exploitation. This simple to implement spyware shows that Androids permission model can't prevent an excessive use of permissions and that the limitations do not prevent the collection of the user's sensitive data. In order to prevent such attacks, it would be necessary to constantly monitor the apps permission usage or to revoke the permissions after every use. Such prevention mechanisms already exist but aren't widely used, which sets the users privacy and security at risk. We will show what users can do in order to guard themselves against such spyware attacks. Furthermore, we will introduce our solution ideas to detect such spyware on Android.[1]: Googles Android Oreo Release Notes: https://developer.android.com/about/versions/oreo/background[2]: Googles Android Pie Release Notes: https://developer.android.com/about/versions/pie/android-9.0-changes-all



Post a comment

Related work

Conference:  Defcon 26

Conference:  Black Hat Asia 2023
Authors: Guangdong Bai, Qing Zhang, Guangshuai Xia

Conference:  Defcon 31
Authors: Ryan Johnson Senior Director, R&D at Quokka, Mohamed Elsabagh Senior Director, R&D at Quokka, Angelos Stavrou Founder and Chief Scientist at Quokka