Android camera bug could have turned phones against their users
Android users beware: rogue apps could be using your phone’s camera against you, taking pictures and videos without your knowledge and sending them to attackers. They could even record your phone calls and make others aware of your location.
News of the vulnerability, which affects the Android camera app used by millions of Google Pixel and Samsung Android users, comes courtesy of application security testing company Checkmarx which has been working with Google and Samsung to fix it. The company’s researchers figured out a way to hijack the camera on Android phones using a permission bypass vulnerability.
Aware that access to camera functions is highly sensitive, Google created a special set of permissions that the user would have to grant to an application before it could use the phone’s camera. These permissions are:
The vulnerability that Checkmarx discovered enables apps to bypass the need for those permissions as long as they have storage permissions that enable an application to access the SD card. In a report on the vulnerability, the company explained:
An application that has access to storage not only has access to past photos and videos (which it already had, by permission design, nothing new there), but also has a way to access newly taken photos and videos by abusing the Google Camera app exported components.
This means an app with SD card permissions gets access to the user’s phone, which enables an attacker to turn the camera into a remotely-controlled sensor:
By manipulating the specific actions and intents, an attacker can now control the Google Camera app to take photos and/or record videos through a rogue application that has no permissions to do so.
Certain conditions on the phone could enable them to harvest more data still, the report continued. If the phone’s location data settings embedded location information in the photos’ EXIF metadata, they could access that data and find out where the photos were taken (and therefore where the user has been).