IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google confirms Android cameras can be hijacked to spy on you

Android apps can access smartphone cameras, take pictures, record videos, and more

A red Android mascot

Multiple vulnerabilities affecting Google and Samsung smartphones could allow hackers to remotely spy on users through their phone’s camera and speakers, according to the security research team at Checkmarx.

The team conducted a proof-of-concept (PoC) study that uncovered a way for attackers to take photos and videos, record phone conversations, identify user location, and more. All of this could be done covertly, the researchers said, even when the phone was locked and the screen turned off.

The problem stems from permission bypass issues that allow hackers to circumvent the need to request access permission for audio and video recording features, according to Erez Yalon, director of security research at Checkmarx.

"Our team found a way of manipulating specific actions and intents," he told Forbes, "making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung's Camera app."

This loophole could have left hundreds of thousands of Android users open to spying.

Checkmarx’s research team developed a malicious application for their PoC that requested basic storage access, the most commonly requested permission, to get to the phone’s SD card.

"A malicious app running on an Android smartphone that can read the SD card," Yalon said, "not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will."

The attack consisted of two parts: a client app and a command and control server. Once the client app was installed, it created a persistent connection to the command and control server, which could then send instructions even when the app was closed.

Through this, the app could take photos and record videos, silencing the smartphone so no shutter noise would alert the user, then upload them to the command server. It could record audio from both sides of a phone conversation, and simultaneously capture video. It could tag the phone’s GPS location from the photos taken, access and copy stored media, and initiate photo and video recording regardless of whether the phone was unlocked.

Checkmarx submitted its vulnerability report to Google’s Android security team on 4 July. After initially setting the severity of the vulnerability as moderate, Google raised it to high and began contacting other smartphone vendors. On 29 August, Samsung confirmed the vulnerability also affected their devices.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson told Forbes. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

Samsung did not respond to a request for comment by the time of publication.

David Kennefick, product architect at edgescan, advises smartphone users to always update their applications as they become available and to be careful of which permissions users grant them. “A flashlight application should not need access to your contacts or the ability to send SMS,” he said.

The number of Android vulnerabilities that have been disclosed isn’t exactly good for business. Google stands to lose a lot concerned customers’ trust over this and other privacy-based issues, and will have to regain it by improving their security measures. In the meantime, the best way for consumers to protect their devices is to continue updating them.

“Mobile phones have more personal information on them than we have in our homes,” said chief security officer at Cybereason Sam Curry, “so they should have more security on them, and I urge consumers to patch early and often. If you receive a notification on your phone about an update being available, then update it.”

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

Free Download

Recommended

Microsoft releases 5MB Outlook Lite app for Android
Microsoft Office

Microsoft releases 5MB Outlook Lite app for Android

3 Aug 2022
What is zero trust?
network security

What is zero trust?

14 Jul 2022
Retbleed hardware-level flaw brings overhead woe to Intel and AMD
Hardware

Retbleed hardware-level flaw brings overhead woe to Intel and AMD

13 Jul 2022
An analysis of the European cyber threat landscape
Whitepaper

An analysis of the European cyber threat landscape

8 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
The benefits of a hardware update for SMBs
Sponsored

The benefits of a hardware update for SMBs

2 Aug 2022