A new security vulnerability has been discovered inside the Android camera app that potentially affects hundreds of millions of phones across the world. Discovered by a team of security researchers at Checkmarx, the exploit allows a malicious app with access to a phone's storage system to bypass Google's permission safety net and completely spy on users.
Since photos and videos are considered to be sensitive information, Google enforces a permission system that prevents third-party applications from accessing the camera app and its data without a user's explicit consent (referred to as intents). After analyzing Google Camera, however, the team found that "by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so."
In addition, the team discovered "that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data." This vulnerability was also present on Samsung's camera apps.
Using a proof-of-concept weather app, with only the storage access permission granted to it, the team of researchers was able to surreptitiously spy on a Pixel 2 XL user as demonstrated in the video below.
The vulnerability, designated CVE-2019-2234, affects both the Google Camera and Samsung Camera apps, as well as camera apps from other vendors. Both Google and Samsung have already issued patches for their camera, with Google addressing the issue back in July via a Play Store update. Since this vulnerability extends into the broader Android ecosystem, Google has already notified its OEM partners and sent out patches to them.
With many apps regularly asking for storage permission, such as games, streaming services, and file managers, there is a high potential for abuse by hackers. If you haven't done so already, be sure to download and apply the latest Android security patches and app updates on your phones. Those running a GCam mod on their devices need to also check that they're based on a newer version of the app. And if your device is too old to receive updates, it's probably time to get a new one.
Our original headline singled out Google and Samsung apps, giving the wrong impression that this vulnerability didn't extend to other devices. In actuality, Google and Samsung are the companies that have been quick with fixes, and it's handsets from other manufacturers that remain at risk. We apologize for any confusion.
- Bleeping Computer