- Home
- Techniques
- Mobile
- Foreground Persistence
Foreground Persistence
Adversaries may abuse Android's startForeground()
API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.[1] Applications can retain sensor access by running in the foreground, using Android’s startForeground()
API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.[2]
Malicious applications may abuse the startForeground()
API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.[3]
Malicious applications may also abuse the startForeground()
API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.[4]
Procedure Examples
Name | Description |
---|---|
Mandrake |
Mandrake uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.[5] |
Mitigations
Mitigation | Description |
---|---|
Application Vetting |
Applications could be vetted for their use of the |
User Guidance |
If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies. |
Detection
Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.
References
- Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.
- R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.