CVE-2018-15000

Name of the Vulnerable Software and Affected Versions Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys com.vivo.smartshot version 3.0.0

Description The issue concerns a platform app with a package name of com.vivo.smartshot that contains an exported service named com.vivo.smartshot.ui.service.ScreenRecordService. This service can record the screen for 60 minutes and write the mp4 file to a location of the user's choosing. Normally, a recording notification is visible to the user. However, it is possible to make the screen recording mostly transparent to the user by quickly removing the notification and floating icon. This can be achieved by stopping and restarting the service with different parameters that do not interfere with the ongoing screen recording. The screen recording can be written directly to the attacking app's private directory.

Recommendations For the Vivo V7 Android device with a build fingerprint of vivo/1718/1718:7.1.2/N2G47H/compil11021857:user/release-keys, consider disabling the com.vivo.smartshot.ui.service.ScreenRecordService service until a patch is available. For com.vivo.smartshot version 3.0.0, restrict access to the screen recording functionality to minimize the risk of exploitation.