If you’re an Android user, then you have probably heard about the news report regarding the Android camera security threat.
This threat was discovered by Checkmarx’s security team. They also made shocking discoveries in the past concerning Tinder and Amazon’s Alexa. However, their recent discoveries have to do with Samsung and Google smartphones. They revealed that this threat has the potential to affect millions of Android users around the world.
So, what is their recent discovery all about? According to them, attackers can now take over full control of camera apps on smartphones. They can even take photos without the owner knowing.
The attacker can also record videos with your phone, listen to your conversations and even record them! They even have a way of identifying your location, which is really disturbing.
Let’s find out more about this Android camera security threat.
App Vulnerabilities
When Checkmarx security team started researching about the Google Camera app of the Pixel 2XL and Pixel 3 smartphones, they discovered a lot of vulnerabilities. All these vulnerabilities can be exploited because the attacker will have the ability to bypass the phone’s user permissions.
The security team was able to manipulate certain intents and actions. This made it possible for any app, even without permission, to take over control of Google Camera. They applied the same technique with the Samsung Camera app and discovered similar vulnerabilities.
Given the huge user base of Samsung and Google smartphones, they are concerned that such a threat could affect hundreds of millions of users around the world. These vulnerabilities allow rogue applications to remotely gather inputs from the camera and microphone, as well as the GPS location.
What the research team did was simulate an attack scenario that abused the camera app in order to bypass user permissions. They developed a malicious app that’s capable of exploiting the most commonly requested permission, which is storage access.
The team developed a malicious app for Android smartphones that’s capable of reading SD cards. Not only was it able to access videos and photos, but it has also been found to be capable of directing the phone into taking new videos and photos.
Exploitation of Vulnerabilities
The team from Checkmarx devised a POC or proof of concept exploit by creating a malicious app in order to uncover this Android camera security threat. This app doesn’t require special permissions except for basic storage access.
By simply requesting single and commonplace permission, the app won’t trigger an alarm on the user. However, the app is far from being harmless. It consists of two parts. One is a client app that runs on the phone and the other is the command/control server that the app connects to so as to perform the bidding of the attacker.
When the app is downloaded and used, it will trigger a persistent connection to the command/control server. It will then wait for further instructions. Closing the app won’t close the server connection.
What to Do If You're Affected by This Android Camera Security Threat?
Here’s what it’s capable of doing on your phone:
- Ask the phone to record videos and upload to the command server.
- Instruct the phone to take photos and have it uploaded into the command server.
- Access the stored videos and photos that were captured during the attack.
- Obtain GPS tags from the photos taken and use these tags to identify the user’s location.
- Once a voice call is started, it will monitor the phone’s proximity sensor in order to identify if the phone is held close to the ear and take recordings of the audio coming from both sides.
- Operate secretly by putting the smartphone on silent mode while recording the photos and videos. That way, the camera won’t produce any shutter sound that could alarm the user.
- The recording of photos or videos will be initiated even if the phone is unlocked.
- While the calls are being monitored, the attacker will also take a video recording of the user while capturing audio recordings at the same time.
Disclosure Timeline of the Google Camera Vulnerability
Both Samsung and Google have released a disclosure that they had fixed the issue concerning the vulnerabilities of the Google Camera app. However, the disclosure was only made last July 4, which is when Checkmarx provided the vulnerability report to Google’s security team.
In July 13, Google labeled the severity of these vulnerabilities as moderate. However, after the feedback provided by Checkmarx, they raised the severity to high. On August 1st, Google confirmed that these vulnerabilities have affected the broader ecosystem of Android and that other smartphone vendors were also affected.
In August 18, Google reached out to several vendors and on the 29th of August, Samsung confirmed, that indeed, the Android camera security threat has affected some of their devices.
What is Google Saying?
With all these vulnerabilities happening, a lot of people are anticipating what Google has to say. According to the company, they appreciate the effort of Checkmarx for bringing this matter into their attention. They are also happy with the fact that the security team has worked with their Android and Google partners for the disclosures. According to Google, they have already addressed these issues by updating the Camera app in July. They also have a patch available for all partners.
Samsung users are also eager to hear from Samsung regarding the issue. As of this publication, Samsung hasn’t released any statement yet. But the disclosure regarding the vulnerabilities has been delayed. This is until both Samsung and Google are able to come up with fixes. Therefore, if you’ve got the latest version of the Google camera app installed, then that means you are protected from these vulnerabilities.
You just need to update to the latest Android OS. This is to ensure that your mobile device receives the most recent security fixes that could protect you from such security threats.
But despite Google’s assurance that the Android camera security threat has already been fixed, can you still trust any of those apps installed in your Android device now? Feel free to share your thoughts in the comments below!
