Data Security

Flaw authorizes attackers to spy on users through Android camera

The same flaw lets attackers extract GPS data.

A few days ago, HackRead shared a video and reported that the Facebook app was using the camera feature on certain versions of iOS without the user’s permission. Now, it has been discovered that a vulnerability in Google and Samsung’s Camera apps on Android enabled other apps to breach users’ privacy.

Apparently, this includes recording videos & call audios, capturing photos and extracting GPS data from the phone’s media data unauthorizedly while uploading it to a C&C server. Furthermore, subtle hacks such as the silencing of the camera’s shutter could also be implemented to further conceal any hidden activity.

Termed as CVE-2019-2234; the vulnerability has been disclosed by Checkmarx in coordination with both Google and Samsung alerting users, the former stating:

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

To understand how this entire process takes place without the user’s permission, it is to be noted that an app needs the following permissions for engaging in any of the aforementioned actions:

  1. android.permission.CAMERA,
  2. android.permission.RECORD_AUDIO,
  3. android.permission.ACCESS_FINE_LOCATION,
  4. android.permission.ACCESS_COARSE_LOCATION

However, in this particular case, it was discovered that merely having permission to access the storage region of the phone gave the apps unrestricted ability to use other features of the camera. Consequently, as the majority of apps rely on gaining storage permissions to operate, this allows a vast number of apps to have the potential to exploit this vulnerability.

Checkmarx has also put together a video to demonstrate such an exploit on a Google Pixel 2 XL with the help of a simple weather app.

To conclude, users can rest assured though knowing that Google has fixed the vulnerability via a Play Store update while simultaneously issuing a patch to all partner vendors.

On the other hand, companies could take away a lesson of responding in the right way just like Google and Samsung did instead of downplaying any exposed flaws within their systems. This not only helps the ecosystem flourish but also helps users take precautions understanding the security limitations their devices may pose.

To Top

Pin It on Pinterest

Share This