Researchers from security firm Checkmarx have disclosed an Android camera flaw that allowed rogue apps to record video and audio, as well as upload images to an attacker-controlled server.
The disclosure comes after the release of patches for the flaws. Primarily, Google and Samsung’s camera apps were affected. Google pushed a patch to its app in July, but it’s not clear when Samsung fixed its app. However, Google says camera apps from other manufacturers may still be susceptible.
According to Checkmarx, Google designed Android to bar apps from accessing cameras and microphones without permission to do so from the user. However, the security firm found it easy to bypass these security restrictions and record video and audio without getting permission from users. Further, to upload captured images to a server, an app only needed permission to access a device’s storage — one of the most commonly given permissions.
Additionally, the flaw allowed attackers to track a user’s physical location through GPS data embedded in images or videos.
Checkmarx created a proof-of-concept weather app that exploited the flaw to do the following:
- Take pictures and record videos, regardless if the phone was locked, the screen was off, or the app was closed.
- Acquire GPS data embedded into any photo or video stored on the device.
- Eavesdrop and record two-way phone conversations while simultaneously capturing images or videos.
- Silence the camera shutter to make it harder to detect.
- Transfer any photo or video on the device to an attacker-controlled server.
- List and download and JPG image or MP4 video stored on the phone’s SD card.
Attacks wouldn’t go unnoticed; phones would display the camera when in use
Granted, an attack of this nature wouldn’t be completely unnoticeable. For example, an exploited device would still show the camera when recording video or capturing images. Users would notice if an attacker tried to carry out an attack while they were looking at the phone. However, that doesn’t prevent attackers from taking advantage of the flaw when the display is out of sight. Attackers could leverage a device’s proximity sensor to detect if a device were face down and the screen not visible.
Checkmarx’s app was also able to use the proximity sensor to detect if the phone was held to a user’s ear and then record a phone call. It could take pictures or videos at the same time.
Google officials told Ars Technica in a statement that they “appreciate Checkmarx bringing this to [their] attention and working with Google and Android partners to coordinate disclosure.” Additionally, it made a patch available to all its partners. Samsung confirmed to Ars that it had released a patch to all potentially affected models.
Further, Checkmarx suggested to Ars that the flaw may have been the result of Google making the camera work with Assistant, but it’s not sure why apps were able to access the camera without permission.
Pixel owners can quickly check if they’re affected
If you’re using a Pixel device, you can check if you’re vulnerable by long-pressing the Camera app icon, tapping the ‘i’ icon in a circle, tapping ‘Advanced’ and then ‘App details.’ This will bounce you to the source of the installation, which should be the Play Store. Make sure you’re running the latest version, but as long as you’re using a version newer than July 2019, you should be safe.
On phones from other manufacturers, checking for the flaw is significantly more difficult. According to Ars, you’ll need a computer with Android Debug Bridge (ADB), and you’ll need to connect your phone and run some commands to test for the flaw. If you’re confident in your ability to use tools like ADB, you can find the instructions here.
Thankfully, due to the nature of the flaw, it takes a fair amount of skill and luck to execute it. As such, it likely isn’t feasible to use against the majority of Android users. That said, it could be a powerful spying tool when used against specific users. Coupled with how easy it is for malicious apps to get on the Play Store, it probably wouldn’t be too difficult for a determined attacker to pull off.
Source: Checkmarx Via: Ars Technica
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.