Blog: Internet Of Things

Weeping Angel / Fake OFF for Android TV

Ken Munro 08 Mar 2017

Doubtless you’ve seen the coverage around the Wikileaks docs covering the Weeping Angel attack against Samsung smart TVs. We showed something remarkably similar this time last year, though we were working on Android TV. In this case, we used a Sony Bravia TV

The BBC were investigating reports that apps appeared to be snooping on audio in the environment of a smartphone and then serve customised adverts. So, we happily wrote a proof of concept app that used the mike permission on the phone, processed voice to text and then sent the decoded text to a 3rd party.

It’s one thing serving an advert based on audio spying, another altogether listening to our every word. Anyway, we modified the rogue app today to be more like the ‘fake off’ attack by the CIA/MI5:

There’s more on that story here: https://www.pentestpartners.com/blog/how-we-made-the-listening-in-android-app/

It’s installed over USB – it takes a couple of minutes to sideload, so it’s a physical attack just like Weeping Angel appears to be.

Version 1 wasn’t stealthy:

Version 2 is much better:

The next step in this project was either to get the app to run in the background, or to run with a fully blank screen by removing the action bar.

It was a simple matter of setting theme flags to remove it – it’s called NoTitleBar:

And there we have a kind of fake off mode for Android TV. Listening happily and sending the text of the audio to a 3rd party

To prove that it’s not just an image of a TV that’s been switched off, check out the LED we’ve highlighted at the bottom of the screen

So, to me Samsung + Weeping Angel is a bit of a distraction. A nice project, but much easier to carry out over Android TV. It becomes portable across multiple TV brands that way too