Security firm Checkmarx found a security vulnerability in Android smartphones by companies such as Google and Samsung, allowing malicious apps to record video, take photos and capture audio without a user’s permission, and upload content to remote servers. The vulnerability has the potential to allow the surrounding environment of high-value targets to be illegally recorded by smartphones. Android should have prevented apps from accessing smartphone cameras and microphones without the user’s permission, but the vulnerability allows the app to be clearly licensed by the user.
(From: Checkmarx, via TechSpot)
You can use the camera and microphone to capture video and audio with only access to your device’s storage space, which is often the permission required by most apps.
To figure out how this vulnerability works, Checkmarx has developed a proof-of-concept application that looks like a weather application on the surface, but actually collects large amounts of data in the background. Tests have found that even if your phone screen or app is turned off, the app can take photos and record videos, as well as access location data in photos. The app runs in “stealth” mode, eliminates the sound of the camera shutter, records two-way phone calls, and uploads all data to a remote server.
When testers exploit this vulnerability, the screen of the compromised smartphone displays the camera while recording a video or taking a photo so that affected users know what happened. The vulnerability can be secretly exploited when a smartphone display is invisible or the device’s screen is facing down, and a feature can be used to determine when a smartphone’s screen is facing down.
Inc. Google Pixel Camera Application (via)
Google fixed the vulnerability in the Pixel with a camera update released in July, and Samsung fixed it, but the exact timing is unclear. Google said: “We are grateful to Checkmarx for bringing this to our attention and coordinating the disclosure with Google and Android partners. This issue has been addressed on affected Google devices, and we made a Play Store update to the Google Camera app in July 2019. We have also provided a patch to all partners. “
Samsung said: “Since receiving notification from Google about this issue, we have subsequently released a patch to address any issues that may be affected by Samsung devices.” We take our collaboration with the Android team very seriously, which allows us to identify and resolve this issue directly. “
According to Checkmarx, Google said android phones from other manufacturers could also be attacked, but did not disclose specific manufacturers and phone models.
Because it’s an Android vulnerability, Apple’s iOS devices won’t be affected by the vulnerability.
It’s unclear why the app has access to the camera without the user’s permission. Checkmarx speculates that this may be related to Google’s decision to run the camera with Google Assistant, Google’s artificial intelligence assistant service, which other vendors may have enabled.