A security flaw in Android OS makes it possible for rogue apps to hijack a user’s smartphone camera and take pictures, record video, audio, and upload those files to an external server — all without users’ knowledge, even when the phone is locked!
Cybersecurity firm Checkmarx uncovered these flaws back in July, but the findings were published yesterday. While Google and Samsung have patched this Android flaw in their devices, other smartphones that use Android OS are still vulnerable to it.
So it is quite possible that hundreds of millions of smartphone users could have been susceptible to exploit. Checkmarx disclosed the bugs in CVE-2019-2234, which arises from permission bypass issues.
How does the Android flaw work?
Google is strict when it comes to granting permissions to mobile apps for accessing the camera, microphone, or location services. Hence, users must accept permission requests, but in this case, Checkmarx was able to bypass it.
The camera app on Android usually stores images and videos on an SD card, and this is why apps require storage permissions.
However, storage permissions are very broad, and these permissions give access to the entire SD card. In Checkmarx’s attack scenario, if a malicious app is granted access to the SD card, it can not only access previous photos and videos but also force the photo app to take new images and videos.
What makes it worse is that GPS metadata is often embedded into images, so an attacker can basically parse this data to track a user’s location as well. In addition to this, the researchers were able to record the caller and receiver’s voice during the call.
Keep Your Android Devices Updated
Checkmarx submitted this vulnerability report to Android’s Security team at Google in July. In August, both Google and Checkmarx contacted different smartphone makers regarding the vulnerability, and Samsung confirmed that it was affected.
Now Google has also confirmed the same and released a patch for this camera flaw to Android partners. We don’t have an exact number of how many devices have been affected by this issue, or if they received the patch yet — and this number may fall in millions.
But we do know that Google and Samsung have patched this flaw, and all Android users should install security updates as soon as they receive it.