There’s been constant paranoia about the cameras in smartphones for as long as smartphones have had cameras. Can somebody hack into your phone, turn on your camera and watch? Or record? Well, it turns out that yes, they can. At least, they can if you’re one of the potentially “hundreds of millions” of Android users on a Google or Samsung smartphone.
The issue was first discovered (at least, publicly) by the security research team at Checkmarx. They say that after a detailed analysis of the Google Camera app in the Pixel 3, they found a way to manipulate certain code to take control of the camera to shoot photos or record videos, even when the phone was locked with the screen off, and without the user knowing.
Their tests were also performed on the Google Pixel 2 XL, and they ended up finding multiple vulnerabilities that allowed apps to completely bypass operating system permissions. They also discovered that these same vulnerabilities affected Samsung smartphones, too, and possibly other smartphone manufacturers.
The team created a pair of proof-of-concept applications. One acts as the malicious app that you might unknowingly download from the Google Play Store. The other is the attacker’s command-and-control (C&C) server. The malicious app was basically a mockup of a normal and benign-looking weather app. But it allowed the operator of the C&C to see what devices were connected to it and perform a number of pretty scary actions, including the following…
- Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
- Record a video on the victim’s phone and upload (retrieve) it to the C&C server
- Parse all of the latest photos for GPS tags and locate the phone on a global map
- Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
- Wait for a voice call and automatically record:
- Video from the victim’s side
- Audio from both sides of the conversation
The video above from Checkmarx’s YouTube channel shows the proof-of-concept apps in action. The vulnerability was first submitted to Android’s security team at Google on July 4th, 2019, over four months ago, along with the proof-of-concept malicious app. How long it might have been known about by others before that time is unclear.
Google initially set the severity of the discovery to “moderate”, but after the Checkmarx team sent more feedback to Google, it was raised to “high”. Google confirmed that the vulnerabilities may affect other Android smartphone vendors. Samsung confirmed that they were also affected on August 29th. The news of the vulnerability was published just yesterday in order to give both vendors, and possibly others, the time to resolve the issues before it went public.
We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.
A patch has been released, and chances are that your Android devices will alert you to the existence of a new update soon if they haven’t already. All of my Android devices have lit up in the last day or two to let me know about a new Google security update, which is no doubt to patch this particular issue.
Checkmarx hasn’t explicitly said so, that I can see, but it’s possible that some older devices which no longer receive OS or security updates are affected by this vulnerability. And some updates may be down to your phone carrier to deliver, rather than the manufacturer.
So, for the paranoid out there, Facebook probably hasn’t been monitoring your phone’s camera and microphone. But, if they wanted to, they could have done. And they could’ve done it without even asking for permissions or you having any idea they were accessing it.
You can get the complete report for the exploit here.