A new security vulnerability has been found within Android devices, whereby attackers could hijack an Android Camera and spy on unsuspecting users.
Researchers from Checkmarx, disclosed a new vulnerability that allows apps to take pictures and record videos without obtaining permission.
Known as CVE-2019-2234, the vulnerability impacts the Google Camera and Samsung Camera apps if they have not been updated since before July 2019.
Following an analysis of the Google Camera app, Checkmarx discovered that by manipulating specific actions and intents, a threat actor could control the app and take images and/or record videos without permission.
In addition, the researchers also discovered that certain attack scenarios allow malicious actors to bypass storage permission policies – thus providing them with access to stored videos and photos, as well as GPS metadata embedded in photos. This same method applied to Samsung’s Camera app.
“A malicious app running on an Android smartphone that can read the SD card, not only has access to past photos and videos, but with this new attack methodology, can be directed to initiate (take) new photos and videos at will. And it doesn’t stop there. Since GPS metadata is usually embedded into the photos, the attacker can take advantage of this fact to also locate the user by taking a photo or video and parsing the proper EXIF data,” reported Checkmarx.
According to Checkmarx, multiple apps request storage permission but have no interest in photos or videos, such as weather apps, which of course becomes problematic.
This allowed the researchers to create a proof-of-concept app, which impersonates a weather app, but quietly sends a picture, video and audio recordings to a demo command & control server under the control of the researcher.
Checkmarx disclosed the vulnerability to Google on July 4, and by July 23, Google raised the severity of the finding to “High”. On August 1, Google confirmed that the vulnerabilities affect Camera apps for other Android devices and issued CVE-2019-2234.
At the end of August, Samsung also confirmed that they were affected, and soon after both Google and Samsung approved the publication of this vulnerability.
In a statement, Google said: “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
The post #Privacy: Vulnerability can hijack Android camera and record video without permission appeared first on PrivSec Report.