services may behave differently on other phones. Some vendors may have additional security measurements
implemented, which can defeat or detect invisible foreground services. As far as we know, it works on
all tested Android Oreo and Pie phones and as well on Android10 devices.
Second, we know that the access to some sensors is restricted to one app at a time: For example,
if the user has already occupied the camera, a foreground service cannot access the camera for spying.
Depending on the persistence strategy, this can occur more often than one may think and can attract the
user’s attention. For example, if our spyware captures a picture and the user has FaceID activated, it can
occur that FaceID cannot access the camera and show an error message.
Third, schedulers may not run at specific times: Android reschedule jobs and alarms, for example, when
the device goes to the idle state. If our device is for a more extended period in stand-by, the schedulers
will likely not execute our code until we use the device again. Furthermore, scheduling strategies can
differ from device to device, and therefore the task execution can work correctly on one device but not
on another.
Fourth, some vendors have different behavior for showing notifications. For example, the location icon
on some phones is shown as soon as the user activates location tracking and is permanently visible in the
top menu bar. Other vendors only show the location icon whenever an app accesses the phone’s location.
So visibility for some features is different on some devices.
Fifth, if we choose a spying strategy that uses many phone resources, like taking a camera picture every
10 seconds, it is likely that the operating system’s battery optimizations will trigger. Depending on the
phone vendor, it may show a notification to the user or directly stop the execution of our app.
Sixth, all the demonstrated malware features work only if the user has already installed the app and
has given the app the necessary runtime permissions.
V. RESULTS
Our demo spyware shows that Android’s permission model cannot prevent excessive use of permissions
and that the limitations do not prevent the collection of the user’s sensitive data. As we described, the
access restriction in Android Pie cannot entirely prevent our access to the critical sensors like the camera
over foreground services. We think the restrictions, in general, are a good idea and give the user more
security, but it still lacks some fundamental points like restricting the file access. We can summarize what
we have done in the following steps:
1) Background Scheduling: We frequently spawn new jobs with a chain of JobScheduler or Alarm-
Manager jobs. With every job we execute, we start a new short-lived foreground service.
2) Invisible Foreground Service: As long as our foreground service’s execution time is shorter than
five seconds
3
, it will not display a notification. The operating system allows only foreground service
to access critical sensors like cameras and microphones.
3) Spying: We can use common spying techniques to collect data from the user during the five-second
window. We tested taking camera pictures, recording audio, uploading files, or tracking the user’s
location and other features. We have shown that our approach works as well on Android10.
Patching these issues is not as simple as it may seem. Since invisible foreground services only use
standard API calls, which are unlikely to be removed soon. Therefore we think that such attacks are likely
to be seen for a longer time. Even if a patch for the foreground service is released and the notification’s
behavior changes, it seems that an attacker still has some possibilities for workarounds. Access and timings
may get patched, but we think it will not entirely prevent such attacks since an attacker can still set the
notification design. Attackers maybe will come up with custom notifications that do not look suspicious
to the user.
3
Five seconds it just the average. Timing may change on other phones.