Android flaw lets rogue apps take photos, record video even if your phone is locked

Millions of Google and Samsung devices were vulnerable to exploit.
Written by Charlie Osborne, Contributing Writer

Google and Samsung have confirmed the existence of security vulnerabilities which allow cyberattackers to hijack your phone camera and covertly take pictures or record video -- even if your device is locked.

On Tuesday, Erez Yalon, Director of Security Research at Checkmarx disclosed the bugs, tracked overall as CVE-2019-2234, which stem from permission bypass issues.

The team began an investigation of the security of our smartphones' camera capabilities by exploring the Google Camera app on a Google Pixel 2 XL and Pixel 3, leading to the discovery that they were able to tamper with particular actions and, overall, make it "possible for any application, without specific permissions, to control the Google Camera app."

This included taking photos and recording video, even if the target device was locked or the screen was turned off, or if the victim was in the middle of a phone call -- all of which are potential attack vectors that could lead to surveillance and a serious invasion of privacy.

Checkmarx says that other smartphone vendors making use of the Android operating system, namely Samsung, were also vulnerable. As a result, it is possible that hundreds of millions of end-users could have been susceptible to exploit. 

Google is strict when it comes to mobile applications obtaining access to sensitive information from camera, microphone, or location services. As a result, users must accept permission requests, but in Checkmarx's attack scenario, these requirements are bypassed. 

The Android camera application usually stores images and videos on an SD card, and so for apps to access this content, they require storage permissions. 

"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card," the researchers note. "There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it's one of the most common requested permissions observed."

See also: Malicious Android apps containing Joker malware set up shop on Google Play

It is this set of permissions that the team decided to use as an attack conduit. If a malicious app is granted access to an SD card, it was not only possible to access photos and videos, but the vulnerability ensured that the photo app could be forced to take new images and video content. 

"We could easily record the receiver's voice during the call and we could record the caller's voice as well," the researchers said. "This is not desired behavior, since the Google Camera app should not be allowed to be fully controlled by an external app, circumventing the camera/mic/GPS permissions that the user is trusting the Android OS to enforce."

To make matters worse, as GPS metadata is often recorded and embedded into images, an attacker could theoretically parse this data and gain knowledge of a user's whereabouts. 

A proof-of-concept (PoC) mock weather app has been designed to show that as long as there are basic storage permissions in place, this attack vector is possible. When opened, the app connects to a command-and-control (C2) server and waits for the operator to send commands to take and steal footage.

The PoC app is able to perform the following functions:

  • Take a photo on the victim's phone and upload it to the C2
  • Record a video on the victim's phone and upload it to the C2
  • Parse photos for GPS tags and locate the phone on a global map
  • Silence the phone while taking photos and recording videos
  • Wait for a voice call -- made possible through the phone's proximity sensor -- and automatically record video from the victim and audio from both sides

The vulnerability impacts all Google handsets, including those beyond the Pixel product line. 

CNET: Demonstrators scan public faces in DC to show lack of facial recognition laws

Google was informed of the researchers' findings on July 4, 2019, and both the PoC app and an accompanying video were sent a day later. Feedback on Google's belief the security issue was only "moderate" later convinced the tech giant to bump up the issue to a "high" severity problem, and by August 1, Google registered the CVE and confirmed that other vendors were impacted. 

A fix was then released, leading to public disclosure. 

TechRepublic: Cybersecurity remains the top concern for middle market companies

"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure," Google said in a statement. "The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

By August 29, Samsung, one of the affected vendors, confirmed the vulnerability impacted the firm's handsets. 

A Samsung spokesperson told ZDNet:

"Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards