Android camera spy on hundreds of millions of users

Attackers can take photos and videos, and then send them to the network

A security vulnerability allowed any application to control the native Camera application in the Android operating system without the necessary permissions from the user, including taking photos. This was stated in the article by the head of the security department at Checkmarx Erez Yalon. 

Android camera spy on hundreds of millions of users

Yalon discovered such vulnerabilities in the Camera applications of Google and Samsung. It is enough for the user to give the application permission to access the device’s memory. 

Also Like

To demonstrate the use of the vulnerability, Yalon created a fake weather application that asks for the only permission from the user - to access memory. The application itself is harmless and is not blocked by the Google Play Protect security system. But closing the application does not break the connection to the server, allowing the hacker to send commands. After that, the hacker will be able to on the smartphone, and even on the blocked one:
  • Take photos and videos using the smartphone’s camera, and then upload to a remote server. The user will not notice this since the shutter sound will be muted
  • Using the proximity sensor, determine what the user is talking on the phone, and then record what both interlocutors say
  • Record user video during a call, in addition to sound
  • Get unlimited access to photos and videos on your device
  • Get GPS tags from all photos on the device, if the user has enabled their camera application. This data can then be used to record user movement.

Checkmarx reported a Google vulnerability in July 2019. Google did not immediately but recognized that the vulnerability covers a wide number of smartphone manufacturers. This happened in the second half of August, then manufacturers were notified of the danger. At the very end of August, Samsung recognized the vulnerability on its devices. 

In November, Google and Samsung approved the publication. According to Google, she fixed the vulnerability on her own devices in July, and also sent a patch to all the affected partners. 

No comments:

Like a Reply

Powered by Blogger.