Checkmarx’s security research team has discovered several vulnerabilities affecting Google and Samsung smartphones which could allow an attacker to take control of a device’s camera app to remotely take photos, record video and even spy on user’s conversations and location.
The team initially began researching the Google Camera app on a Pixel 2XL and Pixel 3 when they discovered multiple vulnerabilities stemming from permission bypass issues. Checkmarx dug further and found that these same vulnerabilities also impact Samsung’s camera app and other Android smartphone vendors as well.
Director of security research at Checkmarx, Erez Yalon and senior security researcher at the company, Pedro Umbelino explained how they were able to use a rogue app to gain control of the Google Camera app in a blog post, saying:
“After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so. Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.”
Camera app vulnerabilities
In order to exploit the vulnerabilities its team found in the Google Camera app, Checkmarx developed a malicious application as a proof of concept exploit. The weather app it created did not require any special permissions besides basic storage access which is a commonplace permission requested by many other apps on the Google Play Store.
However, in addition to its weather app, Checkmarx also set up a command and control server which the app connects to for the purpose of carrying out an attacker’s bidding. Once the app is installed and has been opened on a user’s device, it creates a persistent connection to the command and control server and waits for instructions.
Even if a user were to close the app, it would still be connected to the server and an attacker could command it to take a photo, record video, record audio from voice calls, capture GPS tags from photos and access the data stored on the device. All of the photos and videos taken by the app would then be uploaded to the server.
The proof of concept exploit created by Checkmarx would even allow an attacker to record video and take photos if the smartphone was locked.
Both Google and Samsung have issued fixes for the vulnerabilities and to prevent falling victim to a similar attack, users should update their devices to the latest version of Android, check to make sure that the latest available security patches have been applied and update their camera app as well.