Millions of smartphones could be vulnerable to Android camera hack
The camera applications within Google, Samsung and other Android smartphones could be vulnerable to attack, according to some new research.
Researchers at security platform Checkmarx found that in certain circumstances adversaries can take over smartphone camera apps to record videos, take photos, eavesdrop on conversations, and identify GPS coordinates, all without the user knowing.
After a detailed analysis of the Google Camera app, the team found a way of manipulating actions and intents, making it possible for any application, even without specific permissions, to control the Google Camera app. The same vulnerability also applies to Samsung's Camera app.
It's possible for an attacker to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off, or even when a user s in the middle of a voice call. A malicious app that can read the SD card, not only has access to past photos and videos, but with this new attack methodology, can be directed to initiate new photos and videos at will.
Writing on the Checkmarx blog, Erez Yalon, director of security research, says:
When the vulnerabilities were first discovered, our research team ensured that they could reproduce the process of easily exploiting them. Once that was confirmed, the Checkmarx research team responsibly notified Google of their findings.
Working directly with Google, they notified our research team and confirmed our suspicion that the vulnerabilities were not specific to the Pixel product line. Google informed our research team that the impact was much greater and extended into the broader Android ecosystem, with additional vendors such as Samsung acknowledging that these flaws also impact their Camera apps and taking mitigating steps.
In response to the disclosure Google responded, "We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."
Users are advised to ensure that they are on the latest version of Android ensure their default applications are up to date.
In conclusion Yalon says, "The professionalism shown by both Google and Samsung does not go unnoticed. Both were a pleasure to work with due to their responsiveness, thoroughness, and timeliness."
You can read more on the Checkmarx blog.
Photo credit: wk1003mike / Shutterstock