Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

Google flaw allowed hackers access to Android phones through camera

Issue made it possible for attackers to take photos or record video without owner's permission 

Chelsea Ritschel
Thursday 21 November 2019 21:38 GMT
Comments
Experts discover how hackers could hijack Android cameras

Google has confirmed that a flaw that allowed hackers to take control of Android phone cameras, microphones and GPS location without the owners’ permission has been fixed.

The flaw was identified by security firm Checkmarx, which found “multiple concerning vulnerabilities” in the Google Camera app that enabled them to spy on its users. The issue, which also affected Samsung, meant that “hundreds of millions of smartphone users” were at risk.

According to the firm, its team found that by “manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permission to do so”.

Checkmarx also found that certain scenarios enabled hackers to access stored videos and photos or see “GPS metadata embedded in photos” that would locate a user.

The firm was able to access these vulnerabilities using a mockup weather app that only required basic storage permission from an Android user. According to the firm, storage permissions are “very broad” and give access to the “entire SD card”.

“This means that a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken. Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user,” the security team wrote on its website. “Of course, a video also contains sound. It was interesting to prove that a video could be initiated during a voice call. We could easily record the receiver’s voice during the call and we could record the caller’s voice as well.”

The full vulnerabilities included the ability for an attacker to: “take a photo on the victim’s phone and upload (retrieve) it to the C&C server, record a video on the victim’s phone and upload (retrieve) it to the C&C server, parse all of the latest photos for GPS tags and locate the phone on a global map, operate in stealth mode whereby the phone is silenced while taking photos and recording videos and wait for a voice call and automatically record: video from the victim’s side and audio from both sides of the conversation”.

After identifying the flaw, the firm notified Google, which, after researching the report, found that the vulnerabilities were “not specific to the Pixel product line” and that “the impact was much greater and extended into the broader Android ecosystem”.

The tech giant has since fixed the vulnerabilities and thanked the security firm for identifying the issue.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson said. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

Samsung has also released patches to fix the issue since it was discovered, CNN reports.

According to Checkmarx, the research was part of the company’s “ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based smartphones and IoT devices, while bringing more security awareness amid the consumers who purchase and use them.”

“Protecting privacy of consumers must be a priority for all of us in today’s increasingly connected world,” the company concluded.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in