- Beyoncé and Kelly Rowland were harassed by Jagged Edge as teens, Mathew Knowles says 3 Weeks Ago
- White nationalist Nick Fuentes is upset MTV aired his white nationalist views 3 Weeks Ago
- Juice WRLD had secret drug-littered Instagram, according to his ex-girlfriend 3 Weeks Ago
- Jersey City suspect posted anti-Semitic, anti-police materials online Today 10:30 AM
- Novaruu was banned from Twitch for 3 days—and she can’t understand why Today 10:12 AM
- Pete Buttigieg swears he’s not in the CIA Today 9:28 AM
- Greta Thunberg named ‘Time’ 2019 person of the year Today 9:28 AM
- The best gear and gadget gifts for Dad this holiday season Today 7:30 AM
- The 10 most important sci-fi films of the 2010s Today 7:00 AM
- Netflix advances beyond testosterone-fueled anime with subdued ‘Levius’ Today 6:00 AM
- Influencer accused of selling shirt she was supposed to promote Tuesday 8:42 PM
- Jameela Jamil dragged for comparing reproductive rights to landlord rights Tuesday 6:54 PM
- Trump campaign posts Thanos meme, totally misses point of ‘Endgame’ Tuesday 5:58 PM
- Petition calls for Apple to make a Baby Yoda emoji Tuesday 5:16 PM
- This BTS-Billie Eilish mashup is the most popular tweet of 2019 Tuesday 4:51 PM
A vulnerability in Google’s Android operating system could have allowed malicious apps to take control of a user’s smartphone camera even without being granted access.
The team found that an app with access to just the phone’s storage could bypass Android’s security to not only take pictures and video but to upload the content to an external server. Even more troublesome, an attacker could then access the stolen files’ metadata to determine where the phone is located thanks to embedded GPS information.
“A malicious app running on an Android smartphone that can read the SD card, not only has access to past photos and videos, but with this new attack methodology, can be directed to initiate (take) new photos and videos at will,” Chechmarx says. “And it doesn’t stop there. Since GPS metadata is usually embedded into the photos, the attacker can take advantage of this fact to also locate the user by taking a photo or video and parsing the proper EXIF data.”
A demo of the attack also shows how a camera’s microphones could be activated during phone calls, allowing an attacker to eavesdrop on private conversations.
Google confirmed in a statement that it patched the vulnerability after being alerted to the issue, ensuring that all up-to-date Pixel devices are no longer affected.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson said. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Samsung, another major cell phone provider which utilizes the Android operating system, released a similar statement as well.
“Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected,” a company spokesperson said. “We value our partnership with the Android team that allowed us to identify and address this matter directly.”
Checkmarx notes that other smartphone companies may still be vulnerable, potentially placing “hundreds of millions” of people at risk.
“We also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem… presenting significant implications to hundreds of millions of smartphone users,” the security firm said in a blog post.
Although such an attack would only likely be used against high-profile targets, Pixel users can still check to see whether they are vulnerable.
Pixel owners should first make sure all their apps have been fully updated. Users can then access “Camera” in the settings menu and select “Advanced.” From there, click on “App details” to determine that the app has been updated since at least July.
Advanced users running other Android phones can run the commands listed here to see whether their cellphone vendor has issued the necessary patches.
H/T Ars Technica
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.