The camera on Google and Samsung’s Android smartphones was proven to be a major privacy risk, according to researchers at the CheckMarx Security Research Team. They found that the camera app could be used to easily spy on users. Google has confirmed the vulnerability, which impacts not just its Pixel phones, but also other vendors. Samsung also confirmed they are impacted. Both have already issued a fix for the problem.
The details were published by CheckMarx after they had informed both Google and Samsung about the vulnerability. Both vendors approved publication of detail, which is standard protocol when highlighting a serious security flaw. Google was informed about the vulnerability in early July 2019.
In a statement, Google said, “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
So what happened? Researchers say they found issues with the Google Camera app on the Pixel 2 XL and Pixel 3 devices. The vulnerability came from permission bypass issues on Android. More research showed the flaw impacted camera apps of other smartphone vendors in the Android ecosystem.
The security vulnerability (number CVE-2019-2234) allowed an attacker to control the camera app to take photos, videos through a rogue application, which did not have explicit permission to do so. Researchers found that in certain attack scenarios malicious actors were able to circumvent various storage permission policies. This gave them to access to stored photos, videos and GPS metadata embedded in them, all of which could be used to spy on the user since they were unaware.
What all were the researchers able to carry out due to this vulnerability?
They designed a mockup malicious weather app, which was connected to the command and control (C&C) server of the hacker, which in this case was the CheckMarx team. Exploiting the vulnerability, the researchers found they could carry out the following tasks on the compromised Android phone:
First, they were able to take photos on the victim’s phone and upload it to the C&C server, which is exactly what spyware does.
Second, they were able record a video on the victim’s phone and send it to the C&C server as well.
Third, they could also get the GPS tags for all the photos taken on a phone and locate the phone on a global map, thus easily locating where the user is present.
Fourth, the phone could be operated in stealth mode, and photos and videos were taken while the user would not realise this was happening.
Fifth, the researchers were also able to record a voice call, which included video from the victim’s side and audio from both sides of the conversation.
Researchers showed that they were able to make the rogue app get the phone’s camera to take photos even when the phone was locked. They were able to do this in the middle of a voice call as well.
The researchers exploited the storage permission which is granted to the Android camera application given it has to access the photos and videos stored on the phone’s internal storage. Because the storage permissions are very broad, they end up giving access to the entire storage, which the rogue application exploited.
The vulnerability was first reported on July 4, and Google raised the severity to a ‘High’ level by July 23. In August, Google confirmed others were also impacted, and by end of August, Samsung confirmed they were also vulnerable. If you are using a Google or Samsung phone, it is best to check that camera app has been updated, and you have not missed any security updates from either.