Presentation Material
Abstract
With the releases of Android Oreo and Pie, Android introduced some background execution limitations for apps. Google restricted the execution of background services to save energy and to prevent apps from running endlessly in the background. Moreover, access to the device’s sensors was changed and a new concept named foreground service was introduced. Preventing apps from using the device’s resources like the camera. These limitations, however, would not affect so-called foreground services because they show a permanently visible notification to the user and could therefore be stopped by the user at any time.
A researcher named Thomas Sutter found a race condition bug in the Foreground Notification services in early 2019 and disclosed the same in BlackHat EU 19, which was making the concept of Foreground Notifications in Android totally ineffective.
I will show you how I bypassed Google’s patch for the bug Thomas found and made the foreground services ineffective again. I was also rewarded $5k from Google.
AI Generated Summary
The talk addresses a privilege escalation technique on Android that bypasses the requirement for a persistent foreground service notification when accessing protected sensors such as the microphone, camera, or location. Android mandates a visible “foreground notification” for any background service accessing these sensors, with a strict five-second window between the startForeground() call and the notification’s appearance. Historically, a vulnerability (CVE-2019-2219) allowed extended access by delaying the notification, but this was patched in Android 10 (December 2019).
The presented bypass exploits threading to operate within the five-second constraint while enabling long-running sensor access. The malicious app starts a foreground service, immediately spawns a separate thread to invoke Android’s built-in MediaRecorder API for audio capture, and then stops the foreground notification—all within approximately two to three seconds. Because the recording is handled by the system-level media server in a different process context, the app’s foreground service can be terminated without halting the recording. The result is continuous audio capture with no persistent notification, severely undermining user awareness.
A live demonstration on a slow Android 10 device showed a brief, easily missed notification flicker before disappearing, while recordings accumulated in the app’s private storage. On faster modern devices, the notification may not appear at all. The speaker notes this bypass remains effective on Android 10, as Google has indicated a fix would require substantial infrastructure changes and has not issued a CVE for it. The technique also applies to camera snapshots and precise location grabs, which complete well within the five-second limit.
The primary implication is the creation of stealthy spyware capable of prolonged surveillance without obvious UI indicators. The work highlights a systemic design limitation in Android’s foreground service model, where the separation between service lifecycle and system-mediated sensor access can be abused through concurrency.