• Google and Samsung have confirmed the existence of security vulnerabilities affecting millions of devices.
  • The vulnerability impacts all Google handsets, including those beyond the Pixel product line.

Erez Yalon, Director of Security Research at Checkmarx disclosed the security vulnerability stemming from permission bypass issues on Tuesday. The bug, dubbed as CVE-2019-2234, allows cybercriminals to hijack Android’s phone camera and covertly take pictures or record video even if a device is locked.

The vulnerability impacts all Google handsets, including those beyond the Pixel product line.

How the bug got discovered?

Checkmarx, after discovering the flaw on Google and Samsung devices, commented that it is possible that hundreds of millions of end users could be susceptible to the exploit.

  • The researchers started with a security investigation of smartphones' camera capabilities by exploring the Google Camera app on a Google Pixel 2 XL and Pixel 3.
  • As per the discovery, the researchers could tamper with devices using particular actions and, overall, make it possible for rogue applications without specific permissions to control the Google Camera app.
  • They could take photos, record video during the moment target device was locked or when the screen was turned off, or even when a victim was speaking on a phone call.

In Google devices, however, users must accept permission requests, but in Checkmarx's attack scenario, these requirements were overlooked and bypassed.

"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card," the researchers note. "There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it's one of the most common requested permissions observed."

Additionally, since images are often recorded and embedded with the GPS metadata while being stored on the device, it is possible that an attacker could extract this data and gain knowledge of the target’s whereabouts.

PoC exploit

To consider a worst-case scenario for the identified vulnerability, researchers performed a demonstration mocking a weather app. The app, when opened, connects to a C&C server and waits for the operator to send commands to take and steal footage.

Using the PoC exploit, they could perform functions including:

  • Taking a photo or recording a video and uploading it to the C&C
  • Silence the phone while taking photos and recording videos
  • Parse photos for GPS tags and locate the phone on a global map, and more.

The experiment proved that, as long as there are basic storage permissions in place, this attack vector is possible.

Google was informed of the researchers' findings on July 4, 2019, and by August 1, Google registered the CVE and confirmed that it affected other vendors too. A fix was soon released, leading to public disclosure.

Comments from the giants

Google thanked the research team who discovered the flaw and said, "the issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

A Samsung spokesperson told ZDNet, "Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."

Mitigation recommendation

For proper mitigation and as a general best practice, keep all applications on your device up-to-date.

Cyware Publisher