CVE-2018-14980 in ZenFone 3 Max
Summary
by MITRE
The ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208:user/release-keys contains the android framework (i.e., system_server) with a package name of android (versionCode=24, versionName=7.0) that has been modified by ASUS or another entity in the supply chain. The system_server process in the core android package has an exported broadcast receiver that allows any app co-located on the device to programmatically initiate the taking of a screenshot and have the resulting screenshot be written to external storage (i.e., sdcard). The taking of a screenshot is not transparent to the user; the device has a screen animation as the screenshot is taken and there is a notification indicating that a screenshot occurred. If the attacking app also requests the EXPAND_STATUS_BAR permission, it can wake the device up using certain techniques and expand the status bar to take a screenshot of the user's notifications even if the device has an active screen lock. The notifications may contain sensitive data such as text messages used in two-factor authentication. The system_server process that provides this capability cannot be disabled, as it is part of the Android framework. The notification can be removed by a local Denial of Service (DoS) attack to reboot the device.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/07/2023
This vulnerability exists within the Android framework of ASUS ZenFone 3 Max devices running Android 7.0 with build fingerprint asus/US_Phone/ASUS_X008_1:7.0/NRD90M/US_Phone-14.14.1711.92-20171208. The core issue lies in an exported broadcast receiver within the system_server process that allows any locally installed application to programmatically trigger screenshot functionality and store the resulting image on external storage. This represents a significant security flaw as it bypasses normal user consent mechanisms and provides unauthorized access to sensitive visual data. The vulnerability is classified under CWE-284 Access Control, specifically related to improper access control in the Android framework where a malicious application can exploit an exported component to perform unauthorized actions. The attack vector is particularly concerning because it operates at the system level through the android framework package which cannot be disabled or modified by users. The exported broadcast receiver functionality enables the system_server to be manipulated by any application with appropriate privileges, creating a persistent backdoor for data exfiltration.
The operational impact of this vulnerability extends beyond simple screenshot capability to include potential exposure of sensitive user data through notifications and messages. When combined with the EXPAND_STATUS_BAR permission, an attacking application can wake the device and capture notifications displayed in the status bar, which may contain critical information such as two-factor authentication codes, personal messages, or other confidential data. This creates a scenario where even devices with active screen locks become vulnerable to information disclosure attacks, fundamentally undermining the security model of mobile device encryption and authentication. The vulnerability affects the core Android framework components, making it impossible to patch through standard application updates. The device's screen animation and notification system provide visual confirmation of the screenshot activity, but this transparency does not prevent the unauthorized capture of sensitive information, as the attack can be automated and executed without user awareness. This aligns with ATT&CK technique T1113 Screen Capture, which describes methods for capturing screen content and potentially accessing sensitive information through system-level access.
The inherent limitation of this vulnerability stems from its integration within the Android framework itself, making it impossible to disable or modify through standard security mechanisms. The system_server process that provides this functionality is essential to Android's core operations and cannot be removed or altered by third-party applications or users. The only mitigation available is through device reboot, which constitutes a local denial of service attack that can remove the notification but not prevent the actual screenshot capture. This vulnerability represents a supply chain security issue where device manufacturers have modified the standard Android framework in ways that introduce security weaknesses. The attack requires only local application installation and appropriate permissions, making it accessible to any application that can be installed on the device. The combination of screen animation and notification system provides a clear indication that the screenshot occurred, but this does not mitigate the fundamental security risk of unauthorized data capture. The vulnerability demonstrates how manufacturer customizations of Android frameworks can introduce unexpected security risks that are not present in stock Android implementations, creating a persistent threat that requires device-level remediation rather than application-level fixes. The impact is particularly severe for users who rely on two-factor authentication or handle sensitive personal information, as the vulnerability can be exploited without requiring network connectivity or external attack vectors.