Google confirms Android cameras can be hijacked to spy on you

A red Android mascot

Multiple vulnerabilities affecting Google and Samsung smartphones could allow hackers to remotely spy on users through their phone’s camera and speakers, according to the security research team at Checkmarx.

The team conducted a proof-of-concept (PoC) study that uncovered a way for attackers to take photos and videos, record phone conversations, identify user location, and more. All of this could be done covertly, the researchers said, even when the phone was locked and the screen turned off.

The problem stems from permission bypass issues that allow hackers to circumvent the need to request access permission for audio and video recording features, according to Erez Yalon, director of security research at Checkmarx.

"Our team found a way of manipulating specific actions and intents," he told Forbes, "making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung's Camera app."

This loophole could have left hundreds of thousands of Android users open to spying.

Checkmarx’s research team developed a malicious application for their PoC that requested basic storage access, the most commonly requested permission, to get to the phone’s SD card.

"A malicious app running on an Android smartphone that can read the SD card," Yalon said, "not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will."

The attack consisted of two parts: a client app and a command and control server. Once the client app was installed, it created a persistent connection to the command and control server, which could then send instructions even when the app was closed.

Through this, the app could take photos and record videos, silencing the smartphone so no shutter noise would alert the user, then upload them to the command server. It could record audio from both sides of a phone conversation, and simultaneously capture video. It could tag the phone’s GPS location from the photos taken, access and copy stored media, and initiate photo and video recording regardless of whether the phone was unlocked.

Checkmarx submitted its vulnerability report to Google’s Android security team on 4 July. After initially setting the severity of the vulnerability as moderate, Google raised it to high and began contacting other smartphone vendors. On 29 August, Samsung confirmed the vulnerability also affected their devices.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson told Forbes. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

Samsung did not respond to a request for comment by the time of publication.

David Kennefick, product architect at edgescan, advises smartphone users to always update their applications as they become available and to be careful of which permissions users grant them. “A flashlight application should not need access to your contacts or the ability to send SMS,” he said.

The number of Android vulnerabilities that have been disclosed isn’t exactly good for business. Google stands to lose a lot concerned customers’ trust over this and other privacy-based issues, and will have to regain it by improving their security measures. In the meantime, the best way for consumers to protect their devices is to continue updating them.

“Mobile phones have more personal information on them than we have in our homes,” said chief security officer at Cybereason Sam Curry, “so they should have more security on them, and I urge consumers to patch early and often. If you receive a notification on your phone about an update being available, then update it.”