Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Vulnerabilities in Android Camera Apps Exposed Millions of Users to Spying

Vulnerabilities discovered by researchers in the Android camera apps provided by Google and Samsung could have been exploited by malicious actors to spy on hundreds of millions of users.

Vulnerabilities discovered by researchers in the Android camera apps provided by Google and Samsung could have been exploited by malicious actors to spy on hundreds of millions of users.

Cybersecurity firm Checkmarx reported on Tuesday that its researchers have found a way to abuse Android camera applications to conduct a wide range of spying activities, including taking photos, recording videos, tracking a user’s location, and recording voice calls.

The attack was possible due to a series of vulnerabilities collectively tracked as CVE-2019-2234. The research was conducted on Google’s Pixel phones, but it was later discovered that the camera application on Samsung smartphones was affected as well.

The vulnerabilities allowed a malicious application installed on the targeted device to take control of the camera app present on Google and Samsung devices and spy on users without requiring any special permissions.

Checkmarx demonstrated the impact of the vulnerabilities by creating a fake weather application that only requires storage permissions. Exploitation of the camera app vulnerabilities and having storage permissions allowed the malicious application to take a photo using the victim’s camera, record a video, and record both sides of a voice call. The app could also upload the photos, videos and voice call recordings to the attacker’s server, extract location data from photos to track the victim, and mute the phone in an effort to operate in stealth mode.

The weather app created a persistent connection to the attacker’s server, which would not be terminated when the fake application was closed, thus allowing the hacker to continue spying on the victim.

Normally, an application would have to request camera, microphone, location and storage permissions to be able to perform these activities, but CVE-2019-2234 made it possible to bypass permissions by abusing the default camera app.

Advertisement. Scroll to continue reading.

Google was notified about the vulnerability in early July and the company said it released a patch the same month. Samsung also claims to have released a patch, but it’s unclear when — according to Checkmarx, the company confirmed that its camera app was impacted on August 29.

Checkmarx has published a report detailing the technical aspects of the vulnerabilities.

Related: Mobile Devices Exposed to Spying via Malicious Batteries

Related: Android Flashlight Apps Request up to 77 Permissions

Related: When Good Apps Go Bad: Protecting Your Data Through App Permissions

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...