A vulnerability in the Google Camera app may have allowed attackers to surreptitiously take pictures and record videos even if the phone is locked or the screen is off, Checkmarx researchers have discovered.
In addition to this, attackers would have also been able to eavesdrop on and record phone conversations, silence the camera shutter, transfer captured photos, video and data to their C&C server, and pull GPS location based on photo’s metadata.
Android camera spy: The discovery
Checkmarx researchers delved into the Google Camera app on Google Pixel 2 XL and Pixel 3 devices and discovered several permission bypass issues collectively labeled as CVE-2019-2234.
These issues could be exploited through an app that has one single permission: to access the device’s storage (i.e., SD card).
“After a detailed analysis of the Google Camera app, our team found a way of manipulating specific actions and intents, making it possible for any application, without specific permissions, to control the Google Camera app,” Erez Yalon, Director of Security Research at Checkmarx, explained.
“To properly demonstrate how dangerous this could be for Android users, our research team designed and implemented a proof-of-concept app that doesn’t require any special permission beyond the basic storage permission. Simulating an advanced attacker, the PoC had two working parts: the client-part that represents a malicious app running on an Android device, and a server-part that represents an attacker’s command-and-control (C&C) server. When the client starts the app, it essentially creates a persistent connection back to the C&C server and waits for commands and instructions from the attacker, who is operating the C&C server’s console from anywhere in the world.”
The PoC app they designed was ostensibly a weather app and, as Yalon told Help Net Security, it would have passed the Google Play Store vetting process before they disclosed the issue to Google.
As noted before, through such an app and connection an attacker could make the camera app take photos, record videos, wait for a voice call and automatically record audio from both sides of the conversation (the wait for a voice call option was implemented via the phone’s proximity sensor that can sense when the phone is held to the victim’s ear), operate in stealth mode, upload the recorded video and audio to a remote server, and more.
Here’s a demo video of the rogue app in action:
What can you do?
The researchers shared their findings with Google, which confirmed that the vulnerabilities affected all Google phone models and likely those of other Android OEMs.
“The Google Camera app is part of the applications that are installed by default on Pixel phones,” Yalon pointed out. “Some vendors – e.g., Samsung – use their own camera application, others may use the default app. Also, users can choose not to use their default app and download the Google one, or a different one.”
The researchers then contacted additional vendors regarding the vulnerabilities and heard back from Samsung, whose camera apps were also found to be vulnerable.
“The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners,” Google notified the researchers.
Yalon told us that Samsung also confirmed that fixes have been released to the public. Still, it has to be pointed out that the latest released versions of their two camera apps on Google Play are dated July 3, 2018.
The researchers advise users to update the apps to the latest available version and to regularly update their Android OS.
UPDATE (November 19, 2019, 7:40 a.m. PT):
The mentioned Samsung apps are not the vulnerable ones.
“Samsung’s application we referred to is not available in the Play Store. They are installed directly on Samsung’s phones and updated directly by the Galaxy Store,” Yalon told Help Net Security.