Simple Spyware: Androids Invisible Foreground Services and How to (Ab)use Them

TL;DR

This paper uncovers vulnerabilities in Android's foreground service API that enable malicious apps to run invisible background services, bypassing restrictions and potentially spying on users.

Contribution

It identifies API flaws allowing invisible foreground services, demonstrating how they can be exploited for covert user surveillance.

Findings

Flaws in Android API enable invisible foreground services.

Attackers can use these services for covert spying.

Limitations of Android's background execution restrictions can be bypassed.

Abstract

With the releases of Android Oreo and Pie, Android introduced some background execution limitations for apps. Google restricted the execution of background services to save energy and to prevent apps from running endlessly in the background. Moreover, access to the device's sensors was changed and a new concept named foreground service has been introduced. Apps were no longer allowed to run background services in an idle state, preventing apps from using the device's resources like the camera. These limitations, however, would not affect so-called foreground services because they show a permanently visible notification to the user and could therefore be stopped by the user at any time. Our research found out that flaws in the API exists, which allows starting invisible foreground services, making the introduced limitations ineffective. We will show that the found flaws allow attackers to use foreground services as a tool for spying on users.