Vulnerabilities discovered by researchers in the Android camera apps provided by Google and Samsung could have been exploited by malicious actors to spy on hundreds of millions of users.
Cybersecurity firm Checkmarx reported on Tuesday that its researchers have found a way to abuse Android camera applications to conduct a wide range of spying activities, including taking photos, recording videos, tracking a user’s location, and recording voice calls.
The attack was possible due to a series of vulnerabilities collectively tracked as CVE-2019-2234. The research was conducted on Google’s Pixel phones, but it was later discovered that the camera application on Samsung smartphones was affected as well.
The vulnerabilities allowed a malicious application installed on the targeted device to take control of the camera app present on Google and Samsung devices and spy on users without requiring any special permissions.
Checkmarx demonstrated the impact of the vulnerabilities by creating a fake weather application that only requires storage permissions. Exploitation of the camera app vulnerabilities and having storage permissions allowed the malicious application to take a photo using the victim’s camera, record a video, and record both sides of a voice call. The app could also upload the photos, videos and voice call recordings to the attacker’s server, extract location data from photos to track the victim, and mute the phone in an effort to operate in stealth mode.
The weather app created a persistent connection to the attacker’s server, which would not be terminated when the fake application was closed, thus allowing the hacker to continue spying on the victim.
Normally, an application would have to request camera, microphone, location and storage permissions to be able to perform these activities, but CVE-2019-2234 made it possible to bypass permissions by abusing the default camera app.
Google was notified about the vulnerability in early July and the company said it released a patch the same month. Samsung also claims to have released a patch, but it’s unclear when — according to Checkmarx, the company confirmed that its camera app was impacted on August 29.
Checkmarx has published a report detailing the technical aspects of the vulnerabilities.
Related: Mobile Devices Exposed to Spying via Malicious Batteries
Related: Android Flashlight Apps Request up to 77 Permissions
Related: When Good Apps Go Bad: Protecting Your Data Through App Permissions
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
