Simple Spyware: Androids Invisible Foreground Services and How to (Ab)use Them

Presented at Black Hat Europe 2019, Dec. 5, 2019, 4:35 p.m. (25 minutes)

With the releases of Android Oreo and Pie, Google introduced some background execution limits for Android apps [1],[2]. In order to save battery life and prevent sensor access, apps were restricted in how they were capable of executing background services. Apps were no longer allowed to run background services in idle state and therefore preventing apps from using the devices resources like the camera. These limitations however, would not affect so-called foreground services, because foreground services show a permanently visible notification to the user and could therefore be stopped by the user at any time. Our research found out that a flaw in the API exists, which allows to start invisible foreground services, making the introduced limitations useless.

Foreground services do not show any visual notification when the execution time of the service is shorter than five seconds. Using this and combining it with another flaw in Androids Job Scheduler API allows to constantly execute arbitrary tasks from a background context. This allows apps to use the resources of the device, even when the app is closed, or the device is in stand-by. Furthermore, we can prove that these flaws can be abused for constantly spying on the user and allowing malware developers to create spyware without the need of complicated exploitation.

This simple to implement spyware shows that Androids permission model can't prevent an excessive use of permissions and that the limitations do not prevent the collection of the user's sensitive data. In order to prevent such attacks, it would be necessary to constantly monitor the apps permission usage or to revoke the permissions after every use. Such prevention mechanisms already exist but aren't widely used, which sets the users privacy and security at risk. We will show what users can do in order to guard themselves against such spyware attacks. Furthermore, we will introduce our solution ideas to detect such spyware on Android.

[1]: Googles Android Oreo Release Notes:

[2]: Googles Android Pie Release Notes:


  • Bernhard Tellenbach - Prof. Dr., Zurich University of Applied Sciences
    Bernhard Tellenbach is professor and heads the information security research group at the Zurich University of Applied Sciences (ZHAW). After he got his M.Sc. in electrical engineering and information technology from ETH Zürich, he started working there as a research assistant and PhD student. In 2012, he completed his dissertation on detection, classification and visualization of anomalies (in network traffic) using generalized entropy metrics. His research interests include anomaly detection, honeypots, malware and threat detection, and information security in general. He leads the Cyber Security platform of the Swiss Academy of Engineering Sciences and is one of three co-founders of the European Cyber Security Challenge. He presides the Swiss Cyber Storm Conference and the Swiss hacking challenge.
  • Thomas Sutter - Mr., Zürich University of Applied Sciences
    Since 2017, Thomas Sutter is a scientific assistant at the Zurich University of Applied Science in Switzerland. After his bachelor's degree in computer science, he started working as research assistant at the Institute of Applied Information Technology in Winterthur. As a member of the information security research team, he is constantly working on developing and testing new security features. Since 2018, he works on his master's degree in computer science with focus on IT security.


Similar Presentations: