A vulnerability in Google’s Android operating system could have allowed malicious apps to take control of a user’s smartphone camera even without being granted access.
The team found that an app with access to just the phone’s storage could bypass Android’s security to not only take pictures and video but to upload the content to an external server. Even more troublesome, an attacker could then access the stolen files’ metadata to determine where the phone is located thanks to embedded GPS information.
“A malicious app running on an Android smartphone that can read the SD card, not only has access to past photos and videos, but with this new attack methodology, can be directed to initiate (take) new photos and videos at will,” Chechmarx says. “And it doesn’t stop there. Since GPS metadata is usually embedded into the photos, the attacker can take advantage of this fact to also locate the user by taking a photo or video and parsing the proper EXIF data.”
A demo of the attack also shows how a camera’s microphones could be activated during phone calls, allowing an attacker to eavesdrop on private conversations.
Google confirmed in a statement that it patched the vulnerability after being alerted to the issue, ensuring that all up-to-date Pixel devices are no longer affected.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson said. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Samsung, another major cell phone provider which utilizes the Android operating system, released a similar statement as well.
“Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected,” a company spokesperson said. “We value our partnership with the Android team that allowed us to identify and address this matter directly.”
Checkmarx notes that other smartphone companies may still be vulnerable, potentially placing “hundreds of millions” of people at risk.
“We also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem… presenting significant implications to hundreds of millions of smartphone users,” the security firm said in a blog post.
Although such an attack would only likely be used against high-profile targets, Pixel users can still check to see whether they are vulnerable.
Pixel owners should first make sure all their apps have been fully updated. Users can then access “Camera” in the settings menu and select “Advanced.” From there, click on “App details” to determine that the app has been updated since at least July.
Advanced users running other Android phones can run the commands listed here to see whether their cellphone vendor has issued the necessary patches.
H/T Ars Technica