GOOGLE CAMERA APP FLAW: YOU ARE SPIED

Researchers have disclosed a high-severity issue that could allow attackers to hijack the Google Camera App, the built-in camera in smartphones. A vulnerability in the Google Camera Application left millions of Google and Samsung smartphones open to being potentially abused potentially letting a malicious actor to take photos, download images and video and listen in to phone calls.

The flaw, CVE-2019-2234, is a permission bypass issue that enables real-time access to a phone through the camera application, according to a report by the Checkmarx Security Research Team. The Checkmarx team tested its theories on a Google Pixel 2 and 3 model phones and Samsung later confirmed some of its devices that used the app were also susceptible to the vulnerability.

IS YOUR CAMERA SPYING YOU?

According to Erez Yalon and Pedro Umbelino, security researchers at cyber security firm Checkmarx, they have found vulnerabilities impact the camera apps of smartphones vendors like Google pixel and some Samsung devices in the Android ecosystem, presenting significant implications to millions of smartphones.After the analysis of Google Camera app, it has been found that by utilising and manipulating specific actions, attacker can control app to take photos or record videos through an application that has no permission to do so.

HOW IT WORKS?

Usually, the photos and videos are stored in the SD card. The victim needs permission which is the storage permission to access the sensitive information such as photos and videos of the user. The storage permissions are broad that it accesses the entire SD card. There are many apps that can access the storage permissions and yet it does not feature to fetch the sensitive information such as videos and photos and therefore a rogue application is utilised which does not require the camera permissions but only the storage. By accessing the application, the victim is able to fetch photos and videos from storage.

Craig Young, computer security researcher for Village Education Research and Training (VERT), was surprised Google allowed such a flaw to pass through its own quality and control efforts.

“One of the most important aspects of Android app security is to lock down exported activities. Within Android, Intents serve as the glue for cross-application interaction at runtime allowing, for example, one app to invoke an activity from another. Poorly designed activities can be leveraged by malicious apps to perform actions or access data that would normally incur a permissions request,” Young said.

Prior to the patch being pushed an attacker working the command and control server could see what devices are connected to the phone and take these actions: • Take a photo on the victim’s phone and upload it to the C&C server. • Record a video on the victim’s phone and upload it to the C&C server. • Parse all of the latest photos for GPS tags and locate the phone on a global map. • Operate in stealth mode whereby the phone is silenced while taking photos and recording videos. • Wait for a voice call and automatically record video from the victim’s side and audio from both sides of the conversation.

It is still not known why apps were able to access camera without user permission. In an email, Checkmarx speculated that it could potentially be related to Google’s decision to make the camera work with Google assistant, a feature that other manufacturers may also have implemented.