Erez Yalon, Director of Security Research at Checkmarx disclosed the security vulnerability stemming from permission bypass issues on Tuesday. The bug, dubbed as CVE-2019-2234, allows cybercriminals to hijack Android’s phone camera and covertly take pictures or record video even if a device is locked.
The vulnerability impacts all Google handsets, including those beyond the Pixel product line.
How the bug got discovered?
Checkmarx, after discovering the flaw on Google and Samsung devices, commented that it is possible that hundreds of millions of end users could be susceptible to the exploit.
In Google devices, however, users must accept permission requests, but in Checkmarx's attack scenario, these requirements were overlooked and bypassed.
"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card," the researchers note. "There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it's one of the most common requested permissions observed."
Additionally, since images are often recorded and embedded with the GPS metadata while being stored on the device, it is possible that an attacker could extract this data and gain knowledge of the target’s whereabouts.
PoC exploit
To consider a worst-case scenario for the identified vulnerability, researchers performed a demonstration mocking a weather app. The app, when opened, connects to a C&C server and waits for the operator to send commands to take and steal footage.
Using the PoC exploit, they could perform functions including:
The experiment proved that, as long as there are basic storage permissions in place, this attack vector is possible.
Google was informed of the researchers' findings on July 4, 2019, and by August 1, Google registered the CVE and confirmed that it affected other vendors too. A fix was soon released, leading to public disclosure.
Comments from the giants
Google thanked the research team who discovered the flaw and said, "the issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
A Samsung spokesperson told ZDNet, "Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."
Mitigation recommendation
For proper mitigation and as a general best practice, keep all applications on your device up-to-date.
Publisher