Google confirms Android cameras can be hijacked to spy on you

Android apps can access smartphone cameras, take pictures, record videos, and more

Multiple vulnerabilities affecting Google and Samsung smartphones could allow hackers to remotely spy on users through their phone’s camera and speakers, according to the security research team at Checkmarx.

The team conducted a proof-of-concept (PoC) study that uncovered a way for attackers to take photos and videos, record phone conversations, identify user location, and more. All of this could be done covertly, the researchers said, even when the phone was locked and the screen turned off.

The problem stems from permission bypass issues that allow hackers to circumvent the need to request access permission for audio and video recording features, according to Erez Yalon, director of security research at Checkmarx.

"Our team found a way of manipulating specific actions and intents," he told Forbes, "making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung's Camera app."

This loophole could have left hundreds of thousands of Android users open to spying.

Checkmarx’s research team developed a malicious application for their PoC that requested basic storage access, the most commonly requested permission, to get to the phone’s SD card.

"A malicious app running on an Android smartphone that can read the SD card," Yalon said, "not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will."

The attack consisted of two parts: a client app and a command and control server. Once the client app was installed, it created a persistent connection to the command and control server, which could then send instructions even when the app was closed.

Through this, the app could take photos and record videos, silencing the smartphone so no shutter noise would alert the user, then upload them to the command server. It could record audio from both sides of a phone conversation, and simultaneously capture video. It could tag the phone’s GPS location from the photos taken, access and copy stored media, and initiate photo and video recording regardless of whether the phone was unlocked.

Checkmarx submitted its vulnerability report to Google’s Android security team on 4 July. After initially setting the severity of the vulnerability as moderate, Google raised it to high and began contacting other smartphone vendors. On 29 August, Samsung confirmed the vulnerability also affected their devices.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson told Forbes. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

Samsung did not respond to a request for comment by the time of publication.

David Kennefick, product architect at edgescan, advises smartphone users to always update their applications as they become available and to be careful of which permissions users grant them. “A flashlight application should not need access to your contacts or the ability to send SMS,” he said.

The number of Android vulnerabilities that have been disclosed isn’t exactly good for business. Google stands to lose a lot concerned customers’ trust over this and other privacy-based issues, and will have to regain it by improving their security measures. In the meantime, the best way for consumers to protect their devices is to continue updating them.

“Mobile phones have more personal information on them than we have in our homes,” said chief security officer at Cybereason Sam Curry, “so they should have more security on them, and I urge consumers to patch early and often. If you receive a notification on your phone about an update being available, then update it.”

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

How to unroot Android
Google Android

How to unroot Android

9 Sep 2020
Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020