Serious Android flaw may have left cameras secretly exposed

Adjust Comment Print

This time around, a team of security researchers found a terrifying flaw with the Android camera apps that could let malicious apps completely take control over a phone's camera to spy on users without their knowledge.

According to some sources, a bug in Google camera app has been secretly recording Android phone users. "This same technique also applied to Samsung's Camera app". The vulnerability was found by security researchers at Checkmarx, and it allowed for an app with only storage permissions to take control of the camera app on your phone to take photos and videos.

Apparently, this includes recording videos & call audios, capturing photos and extracting Global Positioning System data from the phone's media data unauthorizedly while uploading it to a C&C server.

In essence, the vulnerability at hand can be exploited by a malicious app without requiring any special permission from the operating system, making it highly unsafe.

An attacker could also locate the phone on the global map via GPS, and automatically record phone calls with both sides of the conversation. The only permission a rogue app would need to abuse the Google Camera app would be to write to an Android device's storage - a very common permission used by thousands of apps. Hence, users must accept permission requests, but in this case, Checkmarx was able to bypass it.

The Google Camera app was patched in July, once Google was notified, and the patch was made available to all partners. Then, late that month it agreed with the researchers that the bug might affect other Android OEMs. Can somebody hack into your phone, turn on your camera and watch?

'After further digging, we also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem - namely Samsung - presenting significant implications to hundreds-of-millions of smartphone users'.

Julia Roberts was suggested to play Harriet Tubman, 'Harriet' screenwriter says
The president replied, 'That was so long ago. "No one is going to know the difference, '" Howard continued. Another added, "Umm.I'm guessing Julia Roberts would very much like to be excluded from this narrative".

For what it's worth, it can be obvious when someone is hijacking your phone's camera app.

It is unknown if smartphones from other brands were also vulnerable to the flaw.

Pascucci says Checkmarx was able to prove the flaw exists, and Google and Samsung released the necessary fixes with the latest software.

Google has since confirmed the issue, thanking the researchers for their work.

It's not known why apps were able to access the camera without user permission.

"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure", a Google spokesperson told Forbes.

As a proof-of-concept, Checkmarx created a dummy weather application that did not have the CAMERA permission, but it did come with a single STORAGE permission, one that did not appear out of order for a weather app.