Researchers from Checkmarx discovered vulnerabilities in Google and Samsung camera apps back in July 2019, and they are partially disclosing them now. The team has worked with Google’s engineers to make sure that people got the fixing patches before the proof of concept is published, but the truth is, some Android vendors remain affected. The researchers initially discovered multiple permission bypassing vulnerabilities in the Google Camera app that is used on Pixel phones, leading them to dig deeper into the Android ecosystem. This exposed the same flaws (CVE-2019-2234) on the devices of other manufacturers, including Samsung. That said, the vulnerabilities affected hundreds of millions of smartphone devices.
The Checkmarx team developed a proof of concept to exploit the discovered flaws and proved that it’s possible for an attacker to take control of the camera apps, take photos, record videos, and circumvent various storage permission policies. This action can be done via an unrelated rogue application that will trigger the relevant functionality on the camera app, and can even include microphone recordings and GPS location data to accompany the captured photographs. Another, simpler method to steal data is basically based on the exfiltration of it directly from the SD card, and sending it to the C&C server without the user realizing anything. The only thing required for this to work is to have the victim install the rogue app and approve SD storage access permissions.
The PoC can take photos and videos silently, as it has the ability to silence the camera’s shutter sound no matter what the user’s setting is. Moreover, and because the microphone is also accessible by the rogue app, there’s also the possibility to eavesdrop phone calls, or take images and videos during a phone call, and even pull GPS data simultaneously. The researchers sent their report and PoC to Google, and the latter confirmed the bug in just a week.
Google figured that the impact of the discovered bug was much wider than what they initially anticipated, so about two months after the initial discovery, they contacted multiple vendors and informed them of the issues. The Play Store version of the Google Camera app has already been patched, so if you are using a Google device you are no longer at risk. Samsung has also released patches to address the vulnerabilities in their camera app, so if you own a Galaxy device, chances are that you’re covered. However, Google has privately admitted that many of the other makers of Android phones remain vulnerable to this day, so this is another case that exposes the weaknesses that stem from Android’s fractured nature.
Are you worried about the security of your Android device, or do you still prefer it to Apple? Let us know where you stand in the comments down below, or on our socials, on Facebook and Twitter.