An Android camera flaw has been reported that could allow attackers to take pictures, record videos, or extract GPS data without requiring any explicit permissions from users. The loophole, which was spotted on the Google Camera app available on Pixel devices and the Samsung Camera app that comes preloaded on Galaxy devices, can be executed remotely using a malicious app. It is known to be available on the Google Camera and Samsung Camera apps until July 2019 and is listed as CVE-2019-2234.
The vulnerability has been discovered by a team of security researchers at Checkmarx. The researchers found that while an app generally requires to obtain certain permissions to record videos, take pictures, and access GPS metadata, apps that have the default ‘Storage‘ permission to use the device‘s SD card and its media content can exploit the Camera app to gain access to capture photos, videos, or obtain EXIF data and geolocation details. The flaw was noticed after analysing the camera app. However, it is also said to have existed in the Samsung Camera app.
“[O]ur researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call,” Checkmarx researchers in a blog post.
There are a large number of apps on that ask for the Storage permission. Thus, the scope of the camera flaw appears to be quite wide.
Checkmarx researchers created a proof-of-concept app that works as a weather app but silently transmits a picture, video, and phone call recordings to a command-and-control server. The team after confirming the issue through the proof-of-concept app notified Google of its findings on July 4. The search giant had raised the severity of the finding to “High” on July 23 and noted that it may affect other Android smartphone vendors. Google also issued CVE-2019-2234 to help smartphone vendors fix the flaw on their Android devices.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners,” Google said in a statement.
Checkmarx researchers said on August 29 also confirmed that the flaw had affected their camera app. The South Korean company — just like Google – however, has fixed the issue.
That being said, it is still unclear whether other Android vendors have followed in the footsteps of Google and Samsung and fixed the vulnerability on their devices. It is recommended to have the latest software updates along with the most recent app versions to avoid uncertainties.