Android Bugs Let Hackers Secretly Record Video and Steal Pictures

Newsweek 2 weeks ago

Security vulnerabilities that were recently discovered in Android devices could be exploited to covertly record video and steal pictures, researchers say.

Camera application bugs in devices from popular smartphone makers Google and Samsung were found by security firm Checkmarx, which disclosed them yesterday. The team said its findings had "significant implications to hundreds-of-millions of smartphone users."

A video of the proof-of-concept hack shows a booby-trapped app could abuse the camera app by bypassing basic permissions, Ars Technica reported.

Checkmarx researchers demonstrated the major issues by creating a fake and malicious weather application—the type of software that could easily sneak onto the official application store.

The team showed the bug working on a Google Pixel 2 XL smartphone running Android 9 software.

If the victim opened the malicious app, a silent connection would be created to the attacker's server that lurked in the background and waited to receive commands. The connection would be persistent, meaning that it continued to exist even if the dodgy application was closed or the phone screen was locked.

According to Checkmarx, the attackers would be able to remotely take photos, record videos and obtain GPS data—all in real time. The attacker could use the phone's back camera to see a person's surroundings and exfiltrate photos and videos from the phone's SD card.

The proof-of-concept essentially let the team bypass storage permission policies. "Checkmarx researchers designed an attack scenario that circumvents this permission policy by abusing the Google Camera app itself, forcing it to do the work on behalf of the attacker," experts said.

The full list of impacted devices remains unknown, but the security company claimed Google confirmed the camera app issues "extended into the broader Android ecosystem."

Disclosure of the bugs was made in coordination with Google and Samsung, which pushed out security patches. Users can update their mobile software to help stay protected.

"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure," a Google spokesperson said in a statement this week. "The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

The latest Android 10 software, like offered in the new Pixel 4, offers greater app permission transparency than ever before. All users should monitor what access is being granted.

In its timeline, Checkmarx said Google raised the severity of the bug to "high" on July 23 and started to contact additional vendors in late August. Samsung did not immediately respond to request for comment asking for information about when the fix was rolled out.

A spokesperson told Ars: "Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."

Google Pixel 3a

Source link
Read also:
The Sun › Technology › 1 day ago
A TERRIFYING bug on Android phones could let hackers read your texts, steal your photos and spy through your camera, experts claim. The new StrandHogg bug reportedly affects every version of Android software – and hackers exploiting it are almost...
RT › 2 weeks ago
Uncovered by a cybersecurity firm, an appalling flaw could turn Android-powered devices into spying goldmines, allowing hackers to secretly snap photos and record footage with no permission required. Read Full Article at
The Sun › Technology › 2 weeks ago
HACKERS could have secretly installed spyware on phones through WhatsApp, it has been revealed. Last month the messaging app resolved a critical design flaw which could have allowed attackers to remotely target devices and steal messages and files...
Business Insider › Technology › 2 weeks ago
A security flaw in Google's Android lets malicious apps access users' camera and microphone to secretly record them and upload the videos to an external server. The flaw, uncovered by Checkmarx and reported by Ars Technica, also allowed hackers to...
Forbes › 3 weeks ago
This week’s Android Circuit includes the Galaxy S11 camera leak, a new Galaxy S10 for Christmas, Microsoft’s new Office for Android, the damaging Pixel 4 decision, OnePlus rolls out Android 10, Huawei’s return to Google, Bill Gates’ Windows...
Business Insider › Entertainment › 1 month ago
Sony's latest firmware update for the PlayStation 4 will let you stream games to your Android phone, so long as you're running Android 5.0 or later. The Remote Play feature sends a streaming video feed from your PlayStation 4 directly to your...
Business Insider › Lifestyle › 2 months ago
You can send a video from an iPhone to an Android phone in a few different ways. It's easy to send a video from iPhone to Android through email or text, as long as the video is short and the file isn't too big to send. If you want to send a longer...
Business Insider › Politics › 2 months ago
Hackers targeted Tibetan leaders in an attempt to monitor their devices with spyware throughout the past two years, according to a new report. The spyware targeted iOS and Android devices and was designed to infiltrate the phones of users who clicked...
Forbes › 1 month ago
This week’s Android Circuit includes leaked Galaxy S11 camera details, the OnePlus 7T Pro launches, latest OnePlus 8 leaks, Huawei’s new Google lifeline, unifying Android gestures, the Cosmo’s qwerty keyboard, Microsoft’s Android powered...
The Sun › Technology › 3 weeks ago
ANDROID users are being warned by experts to delete a range of antivirus apps from their phone if they’ve been unfortunate enough to download them. The 15 apps are said to be potentially dangerous but many of them are still available on the Google...
Sign In

Sign in to follow sources and tags you love, and get personalized stories.

Continue with Google