- Cómo ver Kamaru Usman vs. Colby Covington en el UFC 245 3 Weeks Ago
- ‘Penis fish’ memes erupt after worms wash up on California coast Friday 5:58 PM
- Why Britons are tweeting ‘Little England’ in wake of the U.K. election Friday 3:22 PM
- Net neutrality advocates ask for rehearing on federal court decision Friday 2:29 PM
- Americans are sharing their #PrivateHealthLIFEhacks to help Brits Friday 2:28 PM
- Warren, Sanders, Yang pledge to skip next week’s debate over union dispute Friday 2:12 PM
- How to watch tonight’s Nets vs. Raptors matchup on NBA TV Friday 2:00 PM
- Alt-right comedian Owen Benjamin banned from Instagram over anti-Semitic memes Friday 1:55 PM
- TikTok teens are procrastinating with #FinalsWeek Friday 1:46 PM
- ‘The Mandalorian’ takes on a prison break in episode 6 Friday 1:30 PM
- Nick Cannon vs. Eminem battle expected to escalate after ‘off-limits’ daughter diss Friday 12:50 PM
- Laura Loomer vehemently denies being author of new Laura Loomer-themed action novel Friday 12:30 PM
- PewDiePie’s poop-inspired game gets banned by Apple Friday 11:29 AM
- ‘Game of Thrones’ showrunners to adapt ‘Lovecraft’ graphic novel to screen Friday 11:00 AM
- The 50 memes that defined the decade Friday 10:45 AM
A vulnerability in Google’s Android operating system could have allowed malicious apps to take control of a user’s smartphone camera even without being granted access.
The team found that an app with access to just the phone’s storage could bypass Android’s security to not only take pictures and video but to upload the content to an external server. Even more troublesome, an attacker could then access the stolen files’ metadata to determine where the phone is located thanks to embedded GPS information.
“A malicious app running on an Android smartphone that can read the SD card, not only has access to past photos and videos, but with this new attack methodology, can be directed to initiate (take) new photos and videos at will,” Chechmarx says. “And it doesn’t stop there. Since GPS metadata is usually embedded into the photos, the attacker can take advantage of this fact to also locate the user by taking a photo or video and parsing the proper EXIF data.”
A demo of the attack also shows how a camera’s microphones could be activated during phone calls, allowing an attacker to eavesdrop on private conversations.
Google confirmed in a statement that it patched the vulnerability after being alerted to the issue, ensuring that all up-to-date Pixel devices are no longer affected.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson said. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Samsung, another major cell phone provider which utilizes the Android operating system, released a similar statement as well.
“Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected,” a company spokesperson said. “We value our partnership with the Android team that allowed us to identify and address this matter directly.”
Checkmarx notes that other smartphone companies may still be vulnerable, potentially placing “hundreds of millions” of people at risk.
“We also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem… presenting significant implications to hundreds of millions of smartphone users,” the security firm said in a blog post.
Although such an attack would only likely be used against high-profile targets, Pixel users can still check to see whether they are vulnerable.
Pixel owners should first make sure all their apps have been fully updated. Users can then access “Camera” in the settings menu and select “Advanced.” From there, click on “App details” to determine that the app has been updated since at least July.
Advanced users running other Android phones can run the commands listed here to see whether their cellphone vendor has issued the necessary patches.
H/T Ars Technica
Mikael Thalen is a tech and security reporter based in Seattle, covering social media, data breaches, hackers, and more.