Uncovering Android Malicious Anti‑Kill Vulnerabilities in Foreground Services

Malicious Anti‑Kill Vulnerability Overview

Android anti‑kill refers to keeping a process active in the background for as long as possible, preventing the system from killing it.

Definition of Malicious Anti‑Kill

Malicious anti‑kill techniques allow apps to run hidden background tasks, collect user input, harvest privacy data, push ads, consume excessive resources, drain battery, and degrade system performance.

Harms of Malicious Anti‑Kill

These techniques can silently record audio, consume CPU and memory, cause lag, and disrupt the Android ecosystem by monopolizing resources.

Android Low Memory Killer (LMK) Mechanism

The LMK daemon monitors memory pressure and kills the least important processes based on OOM scores to maintain system performance.

Process Classification and OOM_ADJ Values

Foreground process (oom_adj 0, oom_score_adj 0): Runs in the foreground; user‑visible activity.

Visible process (oom_adj 1, oom_score_adj 100): UI is visible but not interacting, e.g., live wallpaper.

Perceptible process (oom_adj 3, oom_score_adj 200): Background playback or download services.

Service process (oom_adj 7, oom_score_adj 500): Started via startService, not higher‑priority.

Cached process (oom_adj 13‑15, oom_score_adj 900‑999): Empty cache processes that can be killed first.

Priority order: Foreground > Visible > Perceptible > Service > Cached. Processes with OOM_ADJ above 900 are easily killed.

Foreground Service Anti‑Kill Principle

By calling startForeground, a service gains a higher priority (PERCEPTIBLE_APP_ADJ or VISIBLE_APP_ADJ) and avoids being killed by LMK.

Common Foreground Service Anti‑Kill Vulnerability Types

Malicious apps hide the foreground service notification, allowing the process to continue running unseen. Techniques include creating a background recording thread before stopping the service, or deleting the notification channel after the service starts.

Example: CVE‑2019‑2219

The app has five seconds after creating a foreground service to call startForeground. If it fails, the system stops the service and reports ANR. Attackers use this window to start a background recording thread and then stop the service, keeping the thread alive.

Example: CVE‑2021‑0513

After starting a foreground service, the app deletes the associated notification channel, removing the visible notification while the service continues to run.

Mitigation

When deleting a notification channel, the system should throw an exception if a foreground service is still bound to that channel, preventing the removal.

Summary

Malicious anti‑kill techniques in Android focus on elevating process priority to evade the LMK, enabling covert data collection, location tracking, audio recording, and ad injection, while degrading device performance and battery life. Developers should be aware of these risks and implement proper checks when managing foreground services and notification channels.

References

OPPO Security Emergency Response Center – “Hidden ‘Nail‑House’ in Your Phone”.

Hacking Android Foreground Services – Escalation of Privileges (nullcon).