Security vulnerabilities that were recently discovered in Android devices could be exploited to covertly record video and steal pictures, researchers say.
Camera application bugs in devices from popular smartphone makers Google and Samsung were found by security firm Checkmarx, which disclosed them yesterday. The team said its findings had "significant implications to hundreds-of-millions of smartphone users."
A video of the proof-of-concept hack shows a booby-trapped app could abuse the camera app by bypassing basic permissions, Ars Technica reported.
Checkmarx researchers demonstrated the major issues by creating a fake and malicious weather application—the type of software that could easily sneak onto the official application store.
The team showed the bug working on a Google Pixel 2 XL smartphone running Android 9 software.
If the victim opened the malicious app, a silent connection would be created to the attacker's server that lurked in the background and waited to receive commands. The connection would be persistent, meaning that it continued to exist even if the dodgy application was closed or the phone screen was locked.
According to Checkmarx, the attackers would be able to remotely take photos, record videos and obtain GPS data—all in real time. The attacker could use the phone's back camera to see a person's surroundings and exfiltrate photos and videos from the phone's SD card.
The proof-of-concept essentially let the team bypass storage permission policies. "Checkmarx researchers designed an attack scenario that circumvents this permission policy by abusing the Google Camera app itself, forcing it to do the work on behalf of the attacker," experts said.
The full list of impacted devices remains unknown, but the security company claimed Google confirmed the camera app issues "extended into the broader Android ecosystem."
Disclosure of the bugs was made in coordination with Google and Samsung, which pushed out security patches. Users can update their mobile software to help stay protected.
"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure," a Google spokesperson said in a statement this week. "The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."
The latest Android 10 software, like offered in the new Pixel 4, offers greater app permission transparency than ever before. All users should monitor what access is being granted.
In its timeline, Checkmarx said Google raised the severity of the bug to "high" on July 23 and started to contact additional vendors in late August. Samsung did not immediately respond to request for comment asking for information about when the fix was rolled out.
A spokesperson told Ars: "Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."