Be cautious! Your conversations might be secretly recorded
Talk overview:
Android app developers have consistently improved their stock Android apps with the introduction of newer designs and more features to help you start faster and more conveniently.
Samsung's voice recorder app is stock or pre-installed on over 1000 million devices, and it has recently introduced a lock screen widget for the voice recorder app, which means that you can start recording voice in the background directly from the lock screen for faster and easier access.
This feature contains a vulnerability that allows any local app on the device (including third-party apps), browser, and NFC tag to start voice recording in the background with no microphone permission even if the phone is in a locked state. As a result, any malicious attacker could have recorded your private conversation without you realising it.
Android is a privilege-separated operating system, in which each app runs with a distinct system identity (Linux user ID and group ID). Parts of the system are also separated into distinct identities. Linux thereby isolates apps from each other and from the system.
Apps can define custom permissions in their apps, and custom permissions are often used to protect different application components, such as Activities, Services, Content Providers, and Broadcast Receivers, from 3rd-party applications installed on the device.
In Samsung voice recorder, absence of the custom permission on the exported BroadcastReceiver, Activities responsible for handling the intent action leads to start Service and invoke the voice recording in the background even in the phone is in locked state ad it was possible to trick the target app to save recording using exported activity and get back the recording to the server, This vulnerability was assigned CVE-2022-28789.
Since the broadcast receiver was starting a microphone-type service thus this could have helped an attacker to start headless recording without the victim being aware of the attack. The attack surface is vast (i.e., an attack could be triggered by any pre-installed or third-party app, NFC tag, browser, etc.).
In this talk, We will look at the best approach to analysing this vulnerability and developing multiple attack surfaces, including app-links.