Connect with us

Hi, what are you looking for?


Mobile & Wireless

Vulnerabilities in Android Camera Apps Exposed Millions of Users to Spying

Vulnerabilities discovered by researchers in the Android camera apps provided by Google and Samsung could have been exploited by malicious actors to spy on hundreds of millions of users.

Vulnerabilities discovered by researchers in the Android camera apps provided by Google and Samsung could have been exploited by malicious actors to spy on hundreds of millions of users.

Cybersecurity firm Checkmarx reported on Tuesday that its researchers have found a way to abuse Android camera applications to conduct a wide range of spying activities, including taking photos, recording videos, tracking a user’s location, and recording voice calls.

The attack was possible due to a series of vulnerabilities collectively tracked as CVE-2019-2234. The research was conducted on Google’s Pixel phones, but it was later discovered that the camera application on Samsung smartphones was affected as well.

The vulnerabilities allowed a malicious application installed on the targeted device to take control of the camera app present on Google and Samsung devices and spy on users without requiring any special permissions.

Checkmarx demonstrated the impact of the vulnerabilities by creating a fake weather application that only requires storage permissions. Exploitation of the camera app vulnerabilities and having storage permissions allowed the malicious application to take a photo using the victim’s camera, record a video, and record both sides of a voice call. The app could also upload the photos, videos and voice call recordings to the attacker’s server, extract location data from photos to track the victim, and mute the phone in an effort to operate in stealth mode.

The weather app created a persistent connection to the attacker’s server, which would not be terminated when the fake application was closed, thus allowing the hacker to continue spying on the victim.

Normally, an application would have to request camera, microphone, location and storage permissions to be able to perform these activities, but CVE-2019-2234 made it possible to bypass permissions by abusing the default camera app.

Advertisement. Scroll to continue reading.

Google was notified about the vulnerability in early July and the company said it released a patch the same month. Samsung also claims to have released a patch, but it’s unclear when — according to Checkmarx, the company confirmed that its camera app was impacted on August 29.

Checkmarx has published a report detailing the technical aspects of the vulnerabilities.

Related: Mobile Devices Exposed to Spying via Malicious Batteries

Related: Android Flashlight Apps Request up to 77 Permissions

Related: When Good Apps Go Bad: Protecting Your Data Through App Permissions

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.