Android camera bug lets attackers take pictures, track calls

News by Chandu Gopalakrishnan

Researchers discover a bug in Google and Samsung phones that literally spies on its users

Days after a bug in the latest version of Facebook's iOS app was found to open iPhone cameras, researchers have discovered a bug in Google and Samsung phones that literally spies on its users.

"After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so," wrote Checkmarx researchers in a blog post.

"Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app."

Applications must obtain a set of permissions in order to access the input from the camera, microphone, and GPS location. Checkmarx researchers staged an attack that circumvents this permission policy by hacking the Google Camera app, making it work for the attacker.

Many applications request access to the SD storage of the phone. A rogue application that covertly takes photos or videos only needs storage permissions to take things a step further and fetch photos and videos after being taken. If the camera app is GPS-enabled, the rogue application could pinpoint the current GPS position of the phone and user.

"It was interesting to prove that a video could be initiated during a voice call. We could easily record the receiver’s voice during the call and we could record the caller’s voice as well," read the blog post.

"This is the worst-case scenario for many people, myself included. The thoughts of somebody being able to record every moment of my life via an exploit on my smartphone really instills the ‘tinfoil hat’ mentality," commented David Kennefick, product architect at edgescan.

Checkmarx informed Google about the vulnerability and a patch was issued.

"The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners," read the Google response.

"If you receive a notification on your phone about an update being available, then update it. Unfortunately, many people see this notification and think that the update will slow down the phone's performance and they decide not to update,"  said Sam Curry, chief security officer at Cybereason. 

"If you haven't received an update notification in some time, consider contacting your mobile provider to see if they are managing updates for you."

This discovery is a wake-up call to manufacturers such as Google and Samsung, he noted. 

"If any manufacturer and their down-stream carrier partners were looking for business justification, this is it. Not only can you do the right thing and keep people safe, but you can provide a high value, managed service and differentiator as well. If you already do this, consider a subtle messaging campaign to let your users know what you do for them."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews