My friend invited me to lunch and mentioned the word "cafe", but I didn't go.
After 4 hours, I noticed a post related to cafes in my Facebook news feed:
This post isn't very popular and I haven't heard the word "Cafe" for a long time, I can't even recall the last time. So I realized this post is not a coincidence, not again (something I type in ChatGPT also shows similar ads, either OpenAI or my keyboard is selling my data, as expected~).
So I quickly dumped adb logcat, hoping the relevant logs hadn't disappeared yet. Fortunately, it did retain the
05-16 19:39:17.603 log from the previous night:
The next thing I found is quite intriguing:
I recall my friend speaking to me around 12:30 pm (not sure of the exact time, but it was before 1 p.m.), and coincidentally, a suspicious log appears here that is too blatant to ignore!
The
com.vivo.smartshot is a system app on my Vivo phone. I extracted the APK using that package name and found its app label is 'S-Capture' (gi is grep -i):
And yes, it has the microphone/record audio permission:
When I go to the system app settings, its permissions can't be turned off since it's a "system app"!
What is the "S-capture" app really? The Vivo site shows:
I'm only able to take a screenshot by swiping down with three fingers, but I don't see the floating dialogue for recording. It might be a different version, but I don't see any log showing SmartShot.
CVE of Vivo smartshot:
And the Calling a method in the system process without a qualified user is just a warning, not an indication of operation failure, as shown in AOSP:
I initially suspected that S-Capture was the problematic app, or that
another app was exploiting the CVE associated with it.
[CORRECTION] The TID 14053 may get recycled and the rest may be a coincidence since the PID is different
, indicating that TikTok may not be related to triggering SmartShot.
However, I'll leave the information below for reference.
Then, I checked the PID 14053 in the previous log; the adb shell ps -A didn't show it, meaning the process was gone before I tried ps -A. However, the 14053 is present in my log!
But which app is it? I tried to grep the tag
NPTH-TERM above, and it shows the com.ss.android.ugc.trill package name:
com.ss.android.ugc.trill
And the
NPTH-TERM log always appears once the TikTok app is launched:
I confirmed that PID is the TikTok app:
To recap:
4:30 p.m. indicates that I opened the TikTok app around that time. What
does that mean? It's too coincidental that I saw the Facebook app feed around
4:30 pm! The log below proves that I dumped the log right after seeing
the post, maybe a few minutes later. The point is, it was around that
time:
That's quite a series of events! It could be stated like this:
It appears that TikTok, running in the background, managed to record my friend saying "cafe" through the Vivo system app at 12:28 p.m. A few hours later, when I launched TikTok at 4:30 p.m., it seems to have triggered something with this recorded audio, sending it off somewhere. What happened next was interesting - a post about a "cafe" mysteriously appeared in my Facebook news feed!
General public opinions regarding TikTok's alleged microphone listening capabilities are as follows:
Regardless, the presence of Smartshot raises questions.
No comments:
Post a Comment