Wednesday 17 May 2023

Is TikTok listening to my conversation?

My friend invited me to lunch and mentioned the word "cafe", but I didn't go.

After 4 hours, I noticed a post related to cafes in my Facebook news feed:

This post isn't very popular and I haven't heard the word "Cafe" for a long time, I can't even recall the last time. So I realized this post is not a coincidence, not again (something I type in ChatGPT also shows similar ads, either OpenAI or my keyboard is selling my data, as expected~).

So I quickly dumped adb logcat, hoping the relevant logs hadn't disappeared yet. Fortunately, it did retain the 05-16 19:39:17.603 log from the previous night:

The next thing I found is quite intriguing:

I recall my friend speaking to me around 12:30 pm (not sure of the exact time, but it was before 1 p.m.), and coincidentally, a suspicious log appears here that is too blatant to ignore!

The is a system app on my Vivo phone. I extracted the APK using that package name and found its app label is 'S-Capture' (gi is grep -i):

And yes, it has the microphone/record audio permission:

When I go to the system app settings, its permissions can't be turned off since it's a "system app"!

What is the "S-capture" app really? The Vivo site shows:

I'm only able to take a screenshot by swiping down with three fingers, but I don't see the floating dialogue for recording. It might be a different version, but I don't see any log showing SmartShot.

CVE of Vivo smartshot:

And the Calling a method in the system process without a qualified user is just a warning, not an indication of operation failure, as shown in AOSP:

I initially suspected that S-Capture was the problematic app, or that another app was exploiting the CVE associated with it.

[CORRECTION] The TID 14053 may get recycled and the rest may be a coincidence since the PID is different

, indicating that TikTok may not be related to triggering SmartShot.

However, I'll leave the information below for reference.


Then, I checked the PID 14053 in the previous log; the adb shell ps -A didn't show it, meaning the process was gone before I tried ps -A. However, the 14053 is present in my log!

But which app is it? I tried to grep the tag NPTH-TERM above, and it shows the package name:
is one of the TikTok apps in the Play Store (left) which targets the Chinese region:

And the NPTH-TERM log always appears once the TikTok app is launched:

I confirmed that PID is the TikTok app:

To recap:

4:30 p.m. indicates that I opened the TikTok app around that time. What does that mean? It's too coincidental that I saw the Facebook app feed around 4:30 pm! The log below proves that I dumped the log right after seeing the post, maybe a few minutes later. The point is, it was around that time:

That's quite a series of events! It could be stated like this:

It appears that TikTok, running in the background, managed to record my friend saying "cafe" through the Vivo system app at 12:28 p.m. A few hours later, when I launched TikTok at 4:30 p.m., it seems to have triggered something with this recorded audio, sending it off somewhere. What happened next was interesting - a post about a "cafe" mysteriously appeared in my Facebook news feed!

General public opinions regarding TikTok's alleged microphone listening capabilities are as follows:

Regardless, the presence of Smartshot raises questions.

No comments:

Post a Comment