Google confirms Android cameras can be hijacked to spy on you

Android apps can access smartphone cameras, take pictures, record videos, and more

Multiple vulnerabilities affecting Google and Samsung smartphones could allow hackers to remotely spy on users through their phone’s camera and speakers, according to the security research team at Checkmarx.

The team conducted a proof-of-concept (PoC) study that uncovered a way for attackers to take photos and videos, record phone conversations, identify user location, and more. All of this could be done covertly, the researchers said, even when the phone was locked and the screen turned off.

Advertisement - Article continues below

The problem stems from permission bypass issues that allow hackers to circumvent the need to request access permission for audio and video recording features, according to Erez Yalon, director of security research at Checkmarx.

"Our team found a way of manipulating specific actions and intents," he told Forbes, "making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung's Camera app."

This loophole could have left hundreds of thousands of Android users open to spying.

Checkmarx’s research team developed a malicious application for their PoC that requested basic storage access, the most commonly requested permission, to get to the phone’s SD card.

"A malicious app running on an Android smartphone that can read the SD card," Yalon said, "not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The attack consisted of two parts: a client app and a command and control server. Once the client app was installed, it created a persistent connection to the command and control server, which could then send instructions even when the app was closed.

Through this, the app could take photos and record videos, silencing the smartphone so no shutter noise would alert the user, then upload them to the command server. It could record audio from both sides of a phone conversation, and simultaneously capture video. It could tag the phone’s GPS location from the photos taken, access and copy stored media, and initiate photo and video recording regardless of whether the phone was unlocked.

Checkmarx submitted its vulnerability report to Google’s Android security team on 4 July. After initially setting the severity of the vulnerability as moderate, Google raised it to high and began contacting other smartphone vendors. On 29 August, Samsung confirmed the vulnerability also affected their devices.

Advertisement - Article continues below

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson told Forbes. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

Samsung did not respond to a request for comment by the time of publication.

David Kennefick, product architect at edgescan, advises smartphone users to always update their applications as they become available and to be careful of which permissions users grant them. “A flashlight application should not need access to your contacts or the ability to send SMS,” he said.

The number of Android vulnerabilities that have been disclosed isn’t exactly good for business. Google stands to lose a lot concerned customers’ trust over this and other privacy-based issues, and will have to regain it by improving their security measures. In the meantime, the best way for consumers to protect their devices is to continue updating them.

Advertisement - Article continues below

“Mobile phones have more personal information on them than we have in our homes,” said chief security officer at Cybereason Sam Curry, “so they should have more security on them, and I urge consumers to patch early and often. If you receive a notification on your phone about an update being available, then update it.”

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

How to unroot Android
Google Android

How to unroot Android

22 Apr 2020
Secure files on your smartphone with Google Safe Folder
Mobile Phones

Secure files on your smartphone with Google Safe Folder

5 Aug 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
The Man has ruined my Huawei P40
Mobile Phones

The Man has ruined my Huawei P40

3 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020