Serious Android camera app vulnerability affected hundreds of millions of phones
Internet security firm Checkmarx has discovered (via Forbes) vulnerabilities related to permission bypass issues. After researching this on a Google Pixel 2 XL and Pixel 3, Checkmarx says that the same vulnerabilities are found on the camera apps used on other Android phones including those manufactured by Samsung. With this in mind, the number of smartphone users carrying around this issue on their phones is estimated to be in the hundreds of millions. Erez Yalon, director of security research at Checkmarx said, "Our team found a way of manipulating specific actions and intents making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung's Camera app."
By exploiting the vulnerability, an attacker could use a rogue application to force the camera on affected phones to snap pictures and record videos even when the phone is locked or the screen is turned off. You can understand how dangerous this vulnerability is. Checkmarx researchers were even able to remotely snap photos on a phone that was in the middle of a voice call. The vulnerability itself bypasses the permission system, but the rogue application that snaps the photos and videos can also gain access to them by obtaining storage permission. If location is enabled for the camera app, it means that the attacker can discover the current location of the user. The location of the attacker, on the other hand, could be anywhere on the planet.
Had this vulnerability been exploited, it could have cost Android device owners some serious money
To show how dangerous this vulnerability is, Checkmarx developed a "proof of concept" app that required no special permissions outside of the aforementioned storage permission. There were two parts to this app; one represented the malicious app installed on an Android phone, and the other part represented the attacker's command-and-control server. The app that was developed for the PoC was a malicious weather app that connects to the command-and-control server, waiting for instructions from it. This connection persists even if the malicious app is closed.
Using the command-and-control server, the attacker can see the vulnerable devices connected to the server and could force the target phone to take a photo or video and have it uploaded to the server. The attacker would also be able to tag the photos using GPS and pinpoint the location of the device on a map. Additionally, the target phone could be silenced while pictures and videos are recorded. And during a phone call, video from the victim's handset and audio from the other side of the conversation could be recorded.
Checkmarx informed Google of the vulnerabilities and Google replied that the issue goes beyond just the Pixel line and covers the "broader Android ecosystem." Samsung also confirmed that its Android camera apps are affected as well. Both took steps to patch the vulnerabilities.
Google did release a statement that said, "We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."
Had Checkmarx not discovered the vulnerability and brought it to Google's attention, it could have been exploited by bad actors who would have stolen a ton of money from those sporting an Android phone. The security firm does have a hint for Android device owners, and it is a simple one that doesn't take much effort or time. "For proper mitigation and as a general best practice, ensure you update all applications on your device," says the company.