- Riots break out after a fake email about coronavirus went viral Thursday 8:59 PM
- Bloomberg edits debate clip to make other Democratic candidates appear speechless Thursday 7:50 PM
- Dad claims YouTube refuses to remove video of daughter’s murder Thursday 6:36 PM
- Video of Kanye leaving Kim in elevator to carry all their bags has people cackling Thursday 6:19 PM
- Orlando Bloom’s tattoo misspelled son’s name because of Pinterest Thursday 5:35 PM
- The Ahi Challenge is the latest dance taking over TikTok Thursday 4:40 PM
- Show criticized for putting rape victim in blackface to protect her identity Thursday 3:42 PM
- Woman becomes viral sensation after iconic ‘Shallow’ subway video Thursday 2:48 PM
- Prettyboyfredo tried to gift a bullied teen some $30,000 Nikes at school—he got detained Thursday 2:13 PM
- ‘Vanderpump Rules’ recap: Wedding bells and blows Thursday 1:50 PM
- A 16-year-old made a ‘meme guide’ to help her dad understand online trends Thursday 1:46 PM
- UCLA drops plans to use facial recognition after student pushback Thursday 1:07 PM
- ‘Star Trek: Picard’ recap, episode 5: ‘Stardust City Rag’ Thursday 12:56 PM
- Roger Stone sentenced to 40 months in prison Thursday 12:45 PM
- New The 1975 music video is full of memes you’ll love Thursday 12:28 PM
A vulnerability in Google’s Android operating system could have allowed malicious apps to take control of a user’s smartphone camera even without being granted access.
The team found that an app with access to just the phone’s storage could bypass Android’s security to not only take pictures and video but to upload the content to an external server. Even more troublesome, an attacker could then access the stolen files’ metadata to determine where the phone is located thanks to embedded GPS information.
“A malicious app running on an Android smartphone that can read the SD card, not only has access to past photos and videos, but with this new attack methodology, can be directed to initiate (take) new photos and videos at will,” Chechmarx says. “And it doesn’t stop there. Since GPS metadata is usually embedded into the photos, the attacker can take advantage of this fact to also locate the user by taking a photo or video and parsing the proper EXIF data.”
A demo of the attack also shows how a camera’s microphones could be activated during phone calls, allowing an attacker to eavesdrop on private conversations.
Google confirmed in a statement that it patched the vulnerability after being alerted to the issue, ensuring that all up-to-date Pixel devices are no longer affected.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson said. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Samsung, another major cell phone provider which utilizes the Android operating system, released a similar statement as well.
“Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected,” a company spokesperson said. “We value our partnership with the Android team that allowed us to identify and address this matter directly.”
Checkmarx notes that other smartphone companies may still be vulnerable, potentially placing “hundreds of millions” of people at risk.
“We also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem… presenting significant implications to hundreds of millions of smartphone users,” the security firm said in a blog post.
Although such an attack would only likely be used against high-profile targets, Pixel users can still check to see whether they are vulnerable.
Pixel owners should first make sure all their apps have been fully updated. Users can then access “Camera” in the settings menu and select “Advanced.” From there, click on “App details” to determine that the app has been updated since at least July.
Advanced users running other Android phones can run the commands listed here to see whether their cellphone vendor has issued the necessary patches.
H/T Ars Technica
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.