Google and Samsung smartphones reportedly had a serious security flaw that could allow spying on users. The vulnerability existed in the Android Camera app that would permit covert pictures and video recording.
Android Camera App Vulnerability Discovered
Researchers from Checkmarx have come up with an important discovery. They have found a vulnerability in the Android Camera app that affects most Samsung and Google phones. Exploiting the bug could allow a potential attacker to take control of the device’s camera. Consequently, the camera would continue running in the background without users’ input. It would pose a risk to a users’ privacy as the camera could record videos and take pictures without consent.
In brief, the vulnerability (CVE-2019-2234) allowed unauthorized apps to bypass granted permissions. Hence, through a rogue app, an attacker could access the device camera. Moreover, exploiting the vulnerability could also allow access to stored pictures and videos, and the users’ GPS location.
The following video demonstrates how the attack would proceed, even in the real-world scenario.
Researchers have shared their findings in brief in a blog post. They also shared a detailed technical report with the OEMs informing them of the flaw.
Patch Now To Remain Safe
The researchers tested Google Pixel 2 XL and Pixel 3 to find the bug. Furthermore, they also observed that the same vulnerability also affected Samsung devices.
Upon discovering the vulnerability, the researchers informed Google and Samsung about the flaw. In response, Google patched the vulnerability with July 2019 updates. As confirmed in their statement to Checkmarx,
We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.
Whereas, according to ZDNet, Samsung has also addressed this issue.
Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly.
Recently, researchers also highlighted a flaw in Qualcomm powered Android phones that could expose sensitive device information to potential attackers.
Let us know your thoughts in the comments.