Bug in Google Camera App Could've Let Rogue Apps Secretly Record You

Android camera apps from Google and Samsung made it possible for shady apps to record video and take images, and upload them to an attacker-controlled remote server without requiring any permissions, a new research has found.

The vulnerabilities — uncovered by Israeli security vendor Checkmarx — impacted Google's Pixel lineup of smartphones and Samsung's Galaxy series, putting hundreds of millions of end-users at risk from the exploit.

Noting that the flaws were a result of "permission bypass issues," the researchers found potential attack vectors that "enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data."
As a consequence, the Checkmarx researchers found that a rogue Android app could easily force the camera apps on Pixel and Galaxy phones to take photos and record videos, even if the phones were locked, the screen was turned off, or even during the middle of a voice call.

Google was informed of the findings on July 4, 2019, with the company confirming that the exploit (CVE-2019-2234) could affect other Android smartphone vendors on August 1. Samsung confirmed the vulnerability at its end on August 29.

The search giant, in a statement, said the issue was addressed via a Play Store update to the Google Camera application in July 2019. It also said a patch has also been made available to all partners.

The flaws stem from the fact that Android camera application typically stores images and videos on an SD card, which requires storage permissions.

"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card," Checkmarx noted. "There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos."

This broad access could be abused by a malicious app to take photos and videos without specific camera permissions, the researchers said. Additionally, if the camera app has location enabled, the attacker could extract this information from the images and know about the victim's whereabouts.

To demonstrate the risk, the researchers developed a proof-of-concept (PoC) app that can take photos and videos and upload to a remote server under their control, aside from parsing all of the latest photos for GPS tags and locate the phone on a global map.

The fact that the exploit potentially impacts the broader Android ecosystem is yet another reason why handset makers need to be prompt in issuing security updates to their devices.

Unfortunately, there's no easy way to check if other Android phones are susceptible to the exploit other than using Android Debug Bridge to trigger the commands manually.

If you are a Pixel of a Galaxy phone user, it's recommended that you update to the latest version of the operating system and make sure you are using the latest version of the Camera app.

Comments