Vulnerabilities discovered by researchers in the Android camera apps provided by Google and Samsung could have been exploited by malicious actors to spy on hundreds of millions of users.
Cybersecurity firm Checkmarx reported on Tuesday that its researchers have found a way to abuse Android camera applications to conduct a wide range of spying activities, including taking photos, recording videos, tracking a user’s location, and recording voice calls.
The attack was possible due to a series of vulnerabilities collectively tracked as CVE-2019-2234. The research was conducted on Google’s Pixel phones, but it was later discovered that the camera application on Samsung smartphones was affected as well.
The vulnerabilities allowed a malicious application installed on the targeted device to take control of the camera app present on Google and Samsung devices and spy on users without requiring any special permissions.
Checkmarx demonstrated the impact of the vulnerabilities by creating a fake weather application that only requires storage permissions. Exploitation of the camera app vulnerabilities and having storage permissions allowed the malicious application to take a photo using the victim’s camera, record a video, and record both sides of a voice call. The app could also upload the photos, videos and voice call recordings to the attacker’s server, extract location data from photos to track the victim, and mute the phone in an effort to operate in stealth mode.
The weather app created a persistent connection to the attacker’s server, which would not be terminated when the fake application was closed, thus allowing the hacker to continue spying on the victim.
Normally, an application would have to request camera, microphone, location and storage permissions to be able to perform these activities, but CVE-2019-2234 made it possible to bypass permissions by abusing the default camera app.
Google was notified about the vulnerability in early July and the company said it released a patch the same month. Samsung also claims to have released a patch, but it’s unclear when — according to Checkmarx, the company confirmed that its camera app was impacted on August 29.
Checkmarx has published a report detailing the technical aspects of the vulnerabilities.
Related: Mobile Devices Exposed to Spying via Malicious Batteries
Related: Android Flashlight Apps Request up to 77 Permissions
Related: When Good Apps Go Bad: Protecting Your Data Through App Permissions