Google Confirms Android Camera Security Threat

/0 Comments/in , /by

The security research team at Checkmarx has made something of a habit of uncovering alarming vulnerabilities, with past disclosures covering Amazon’s Alexa and Tinder. However, a discovery of vulnerabilities affecting Google and Samsung smartphones, with the potential to impact hundreds of millions of Android users, is the biggest to date. What did the researchers discover? Oh, only a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser. . .

The security research team at Checkmarx has made something of a habit of uncovering alarming vulnerabilities, with past disclosures covering Amazon’s Alexa and Tinder. However, a discovery of vulnerabilities affecting Google and Samsung smartphones, with the potential to impact hundreds of millions of Android users, is the biggest to date. What did the researchers discover? Oh, only a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser. . .

When the Checkmarx security research team began researching the Google Camera app, on the Pixel 2XL and Pixel 3 smartphones that were to hand, they found several vulnerabilities. All of these were initiated by issues allowing an attacker to bypass user permissions. “Our team found a way of manipulating specific actions and intents,” Erez Yalon, director of security research at Checkmarx said, “making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung’s Camera app.” The implications of these vulnerabilities, given the footprint of Google and Samsung smartphones alone, presented a significant threat to hundreds of millions of users.

The vulnerabilities themselves (CVE-2019-2234) allowed a rogue application to grab input from the camera, microphone as well as GPS location data, all remotely. The implications of being able to do this are serious enough that the Android Open Source Project (AOSP) specifically has a set of permissions that any application must request from the user and be approved before enabling such actions. What the Checkmarx researchers did was to create an attack scenario that abused the Google Camera app itself to bypass these permissions. They did so by creating a malicious app that exploited one of the most commonly requested permissions: storage access. “A malicious app running on an Android smartphone that can read the SD card,” Yalon said, “not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will.” (Read more from “Google Confirms Android Camera Security Threat” HERE)

Follow Joe Miller on Twitter HERE and Facebook HERE

You might also like
Don’t Call It a Layoff: Big Tech Is Reportedly Using a Trick to Force Employees Out
Google Diversity Head: Jews Have ‘Insatiable Appetite for War’
How to Stop Using Google Search on Your Computer and Phone
Google and YouTube Target ‘Conspiracy Theories’ in New Quality Control Update
Sign of the Times: Google Searches for ‘World War 3’ Hit Highest Peak EVER
Google and Jigsaw Get Serious About “Extremist” Content