Google and Samsung confirm massive Android Camera exploit affecting “hundreds of millions” of users

Nov 20, 2019

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Google and Samsung confirm massive Android Camera exploit affecting “hundreds of millions” of users

Nov 20, 2019

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Join the Discussion

Share on:

There’s been constant paranoia about the cameras in smartphones for as long as smartphones have had cameras. Can somebody hack into your phone, turn on your camera and watch? Or record? Well, it turns out that yes, they can. At least, they can if you’re one of the potentially “hundreds of millions” of Android users on a Google or Samsung smartphone.

The issue was first discovered (at least, publicly) by the security research team at Checkmarx. They say that after a detailed analysis of the Google Camera app in the Pixel 3, they found a way to manipulate certain code to take control of the camera to shoot photos or record videos, even when the phone was locked with the screen off, and without the user knowing.

YouTube video

Their tests were also performed on the Google Pixel 2 XL, and they ended up finding multiple vulnerabilities that allowed apps to completely bypass operating system permissions. They also discovered that these same vulnerabilities affected Samsung smartphones, too, and possibly other smartphone manufacturers.

The team created a pair of proof-of-concept applications. One acts as the malicious app that you might unknowingly download from the Google Play Store. The other is the attacker’s command-and-control (C&C) server. The malicious app was basically a mockup of a normal and benign-looking weather app. But it allowed the operator of the C&C to see what devices were connected to it and perform a number of pretty scary actions, including the following…

  • Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
  • Record a video on the victim’s phone and upload (retrieve) it to the C&C server
  • Parse all of the latest photos for GPS tags and locate the phone on a global map
  • Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
  • Wait for a voice call and automatically record:
    • Video from the victim’s side
    • Audio from both sides of the conversation

The video above from Checkmarx’s YouTube channel shows the proof-of-concept apps in action. The vulnerability was first submitted to Android’s security team at Google on July 4th, 2019, over four months ago, along with the proof-of-concept malicious app. How long it might have been known about by others before that time is unclear.

Google initially set the severity of the discovery to “moderate”, but after the Checkmarx team sent more feedback to Google, it was raised to “high”. Google confirmed that the vulnerabilities may affect other Android smartphone vendors. Samsung confirmed that they were also affected on August 29th. The news of the vulnerability was published just yesterday in order to give both vendors, and possibly others, the time to resolve the issues before it went public.

We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.

– Google

A patch has been released, and chances are that your Android devices will alert you to the existence of a new update soon if they haven’t already. All of my Android devices have lit up in the last day or two to let me know about a new Google security update, which is no doubt to patch this particular issue.

Checkmarx hasn’t explicitly said so, that I can see, but it’s possible that some older devices which no longer receive OS or security updates are affected by this vulnerability. And some updates may be down to your phone carrier to deliver, rather than the manufacturer.

So, for the paranoid out there, Facebook probably hasn’t been monitoring your phone’s camera and microphone. But, if they wanted to, they could have done. And they could’ve done it without even asking for permissions or you having any idea they were accessing it.

You can get the complete report for the exploit here.

[via Forbes]

Filed Under:

Tagged With:

Find this interesting? Share it with your friends!

John Aldred

John Aldred

John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.

Join the Discussion

DIYP Comment Policy
Be nice, be on-topic, no personal information or flames.

Leave a Reply

Your email address will not be published. Required fields are marked *

7 responses to “Google and Samsung confirm massive Android Camera exploit affecting “hundreds of millions” of users”

  1. Marco Peixoto Avatar
    Marco Peixoto

    They are…

    I have noticed talking about things and then a day or two later i get FB Ads from the things I spoke…

    1. Nicole Phillips Avatar
      Nicole Phillips

      Marco Peixoto I was talking with someone in my house about something for my dog. Never googled or searched for it on amazon. That afternoon, there’s an ad for it on FB. I guess my iPad is listening.

    2. Rob Gipman Avatar
      Rob Gipman

      Huawei also a target?

  2. Albin Avatar
    Albin

    Have to say I’ve always felt creepy about the exposed smartphone “selfie” cam (use washi tape on PCs) and am liking the new pop-ups that are buried inside during ordinary use, which for me is blue moon. With face and retinal ID, hacked selfie images could become a serious theft vector.

  3. Marko Avatar
    Marko

    This exploit is on all phones, not just Android. Facebook was just exposed as opening iPhone cameras without owner permission or knowledge. They say they fixed the ‘bug’ but how many others do the same?

  4. Tj Ó Seamállaigh Avatar
    Tj Ó Seamállaigh

    ……… and in the end …. Huawei is a source of danger

  5. Sergi Yavorski Avatar
    Sergi Yavorski

    Already patched