The vulnerabilities are collectively tracked as CVE-2019-2234, attackers could exploit them to conduct several activities, including recording videos, taking photos, recording voice calls, tracking the user’s location.
The vulnerabilities could be exploited by threat
The researchers initially analyzed Google’s Pixel 2 and Pixel 3 devices, then they extended their findings to the camera application on Samsung phones.
“It is possible for any application, without specific permissions, to control the Google Camera app developed for Android and force it to take photos and / or record videos, even if the phone is locked and the screen is turned off.” reads the report published by Checkmarx. “After disclosing these findings to Google, they shared the report with other Android manufacturers, and Samsung confirmed the vulnerabilities existed in their smartphones as well. According to Google, additional OEMs also confirmed the flaws, expanding the impact to hundreds-of-millions of Android users worldwide.”
The vulnerabilities allowed a malicious application installed on the victim’s phone to take control of the camera app present on Google and Samsung devices and spy on users without any special permission.
Experts focused their analysis on a camera application installed on Google smartphones (com.google.android.GoogleCamera package) searching for any vulnerabilities.
The researchers manipulated specific actions and intents and discovered that an attacker can control the Google Camera app to take photos and/or record videos using a rogue application that has no permissions to do it.
The experts also discovered that under specific conditions, attackers can bypass various storage permission policies in order to access to stored videos and photos, as well as GPS metadata embedded in photos to locate the user by taking a photo or video and analyzing the associated EXIF data.
The experts developed a
Below the video PoC of the attack:
The researchers reported the flaws to Google in early July and the company confirmed that a security patch addressed them was released in the same month. Samsung also confirmed to have addressed the issue.
“This type of research activity is part of the Checkmarx Security Research Team’s ongoing