Leading application security firm, Checkmarx, has detailed multiple vulnerabilities in the camera apps of Android smartphones from several leading vendors, including Google and Samsung. Originally spotted on Google’s Pixel 2 XL and Pixel 3 smartphones, the vulnerabilities (CVE-2019-2234) stem from ‘permission bypass issues’ that can potentially allow attackers to use third-party apps for taking photos, recording videos and listening to phone calls without permission.
According to an official blog post from Checkmarx, a detailed analysis of the Google Camera app by the company’s researchers found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so. The vulnerability also apparently allows malicious actors to circumvent storage permission policies to access media files on the phone, as well as GPS metadata to locate the user.
A proof-of-concept (PoC) attack designed and implemented by the researchers seemingly shows that malicious apps won’t need any special permission beyond the basic storage permission. “When the client starts the (malicious) app, it essentially creates a persistent connection back to the command-and-control (C&C) server and waits for commands and instructions from the attacker … Even closing the app does not terminate the persistent connection”, said the company.
Once the device is compromised, the attacker can take photos and videos with the victim’s phone and upload it to the C&C server. They can also potentially parse all photos for GPS tags and locate the phone on a global map, thereby ascertaining the geo-location of the unsuspecting victim. What’s more, the audio-video permission also allows the hacker to automatically record phone calls from both sides of the conversation.
Upon being informed by the Checkmarx research team, Google investigated the matter on its own and found that the vulnerabilities were not specific to Pixel devices. According to the search giant, the impact was much greater and extended into the broader Android ecosystem, affecting multiple vendors. The company, however, says it addressed the issue via an update to the Google Camera App back in July 2019 within days of being informed of the problem. Samsung has also confirmed the findings and has started taking steps to mitigate the issue.