Android camera vulnerabilities could allow an attacker to spy on you

Shawn Knight

TechSpot Staff
Staff member

As Checkmarx Senior Security Researcher Pedro Umbelino explains, the team started their investigation by having a look at the Google Camera app on Pixel 2 XL and Pixel 3 handsets. They found multiple vulnerabilities relating to permission bypass issues which could allow an attacker to use the app to take photos and record videos via a rogue app.

Attacks are even possible when a victim’s phone is locked, the screen is off and during voice calls.

Other attack scenarios could allow a bad actor to access stored photos and videos and even garner GPS metadata to help track down the location of a user. This technique also applied to Samsung’s Camera app, Umbelino noted.

To demonstrate the various vulnerabilities, the team at Checkmarx designed a proof-of-concept app meant to look like an ordinary weather app. With it, they were successfully able to snap photos and videos without a user’s knowledge, grab GPS data from photos and even record audio from both sides of a conversation during voice calls.

Umbelino said the Checkmarx team responsibly notified Google of their findings who confirmed that the issue wasn’t limited to their camera app but rather, extended into the general Android ecosystem.

Google in a statement issued to Checkmarx said the issue was addressed on impacted Google devices via a Play Store update to the Google Camera app in July 2019, adding that a patch has been made available to all partners. Both Google and Samsung approved of Checkmarx’s sharing of the vulnerabilities after a fix was released.

As a general best practice and to mitigate these specific issues, make sure you have the latest updates for each and every app on your mobile device.

Masthead credit: Smartphone tracking by CHUYKO SERGEY

Permalink to story.

 

Uncle Al

TS Evangelist
Well since I carry the phone in my back pocket I guess I should be flattered at anyone that wants to take a peak! Just remember to leave flowers and candy (sugar free, of course).
 

Yynxs

TS Addict
I'm thinking, since it's Android, that's this is not a bug, this is a feature. Just not a feature for the public. But that's just me.
 

hk2000

TS Booster
Who cares? The masses, for whom Android is made, are so easy, you don't even have to "spy" on them, just make the gadget with the built in camera and have them plant it for you any place in their homes- and they'll pay for it too.
 
  • Like
Reactions: warLoc