Security researchers have discovered a vulnerability that allowed them to activate cameras on Android devices without users’ consent. This was due to errors in the camera apps from Google and Samsung. The leak may also be in camera apps from other brands.
Researchers from Checkmarx conducted research with a Pixel 2 XL and Pixel 3. They discovered that the Google Camera app contains bugs that can cause permission bypass issues. Malicious persons can thus gain access to the camera, for example via an app, without users giving permission for the use of the camera.
The researchers demonstrated this by creating a weather app that only asks permission to save files. When users start the app, a permanent connection to a command & control server is established. From the c&c console, the attacker can then activate the camera and upload photos or videos to the server.
In this way, for example, an incoming call can also be waited for to listen to the audio. In addition, the GPS coordinates in photos can be used to locate victims. According to Checkmarx, this is all possible without the user noticing. The camera can be activated even when the phone’s screen is off, or when users are in the middle of a call.
Android phone makers usually include their own camera apps. Checkmarx found the leak in Google’s camera app, but noticed that it also works in Samsung’s camera app. The security company notified Google and Samsung after the discovery; that was early July. Google closed the leak that same month with an update to the Camera app.
Google acknowledged in August that the leak is likely to affect other Android smartphones, and has made a patch available to partners making Android devices. Checkmarx contacted ‘multiple manufacturers’ in August, after which Samsung confirmed that it was also affected. Samsung also claims to have patched the leak.
It is unknown whether the vulnerability has been exploited. It is also unclear whether devices from more manufacturers are vulnerable and whether that is still the case. Checkmarx has put its publication online in agreement with Google and Samsung.