Google confirms Android cameras can be hijacked to spy on you

Android apps can access smartphone cameras, take pictures, record videos, and more

Multiple vulnerabilities affecting Google and Samsung smartphones could allow hackers to remotely spy on users through their phone’s camera and speakers, according to the security research team at Checkmarx.

The team conducted a proof-of-concept (PoC) study that uncovered a way for attackers to take photos and videos, record phone conversations, identify user location, and more. All of this could be done covertly, the researchers said, even when the phone was locked and the screen turned off.

The problem stems from permission bypass issues that allow hackers to circumvent the need to request access permission for audio and video recording features, according to Erez Yalon, director of security research at Checkmarx.

"Our team found a way of manipulating specific actions and intents," he told Forbes, "making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung's Camera app."

This loophole could have left hundreds of thousands of Android users open to spying.

Checkmarx’s research team developed a malicious application for their PoC that requested basic storage access, the most commonly requested permission, to get to the phone’s SD card.

"A malicious app running on an Android smartphone that can read the SD card," Yalon said, "not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will."

The attack consisted of two parts: a client app and a command and control server. Once the client app was installed, it created a persistent connection to the command and control server, which could then send instructions even when the app was closed.

Through this, the app could take photos and record videos, silencing the smartphone so no shutter noise would alert the user, then upload them to the command server. It could record audio from both sides of a phone conversation, and simultaneously capture video. It could tag the phone’s GPS location from the photos taken, access and copy stored media, and initiate photo and video recording regardless of whether the phone was unlocked.

Checkmarx submitted its vulnerability report to Google’s Android security team on 4 July. After initially setting the severity of the vulnerability as moderate, Google raised it to high and began contacting other smartphone vendors. On 29 August, Samsung confirmed the vulnerability also affected their devices.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson told Forbes. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

Samsung did not respond to a request for comment by the time of publication.

David Kennefick, product architect at edgescan, advises smartphone users to always update their applications as they become available and to be careful of which permissions users grant them. “A flashlight application should not need access to your contacts or the ability to send SMS,” he said.

The number of Android vulnerabilities that have been disclosed isn’t exactly good for business. Google stands to lose a lot concerned customers’ trust over this and other privacy-based issues, and will have to regain it by improving their security measures. In the meantime, the best way for consumers to protect their devices is to continue updating them.

“Mobile phones have more personal information on them than we have in our homes,” said chief security officer at Cybereason Sam Curry, “so they should have more security on them, and I urge consumers to patch early and often. If you receive a notification on your phone about an update being available, then update it.”

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
How to unroot Android
Google Android

How to unroot Android

27 Jul 2021
PayPal looks to block hate group funding
Security

PayPal looks to block hate group funding

26 Jul 2021
What is two-factor authentication?
two-factor authentication (2FA)

What is two-factor authentication?

23 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021