An alarming security vulnerability has been discovered in several models of Android smartphones manufactured by Google, Samsung, and others that could allow malicious apps to secretly take pictures and record videos — even when they don’t have specific device permissions to do so.
You must already know that the security model of the Android mobile operating system is primarily based on device permissions where each app needs to explicitly define which services, device capabilities, or user information it wants to access.
However, researchers at Checkmarx discovered that a vulnerability, tracked as CVE-2019-2234, in pre-installed camera apps on millions of devices could be leveraged by attackers to bypass such restrictions and access device camera and microphone without any permissions to do so.
How Can Attackers Exploit the Camera App Vulnerability?
The attack scenario involves a rogue app that only needs access to device storage (i.e., SD card), which is one of the most common requested permissions and does not raise any suspicion.
According to researchers, by merely manipulating specific “actions and intents,” a malicious app can trick vulnerable camera apps into performing actions on behalf of the attacker, who can then steal photos and videos from the device storage after being taken.
Since smartphone camera apps already have access to required permissions, the flaw could allow attackers to indirectly and surreptitiously take photos, record videos, eavesdrop on conversations, and track location — even if the phone is locked, the screen is off, or the app is closed.
“After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so,” Checkmarx wrote in a blog post published today.
“Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.”
To demonstrate the risk of the vulnerability for Android users, the researchers created a proof-of-concept rogue app masqueraded as an innocent weather app that only asks for the basic storage permission.
images from Hacker News