Even if you’re diligent about app permissions, sometimes you just can’t predict how or when a bad actor will abuse them. This time around, a team of security researchers found a terrifying flaw with the Android camera apps that could let malicious apps completely take control over a phone’s camera to spy on users without their knowledge.
It doesn’t take a genius to know that photos and videos can contain extremely sensitive information, and therefore, you should think twice about giving an app permission to use a camera. That’s why Google has a specific set of permissions that an app needs from a user to gain access to a phone’s camera. However, researchers at Checkmarx found that a malicious app could bypass that safety net completely by requesting storage permissions.
Storage permissions are common in Android apps, broadly used for many legitimate use cases. Essentially, because Android camera apps often store photos and videos to an SD card, granting an app permission to storage gives it access to the entire contents of that card, according to the researchers. And the truly terrifying thing is that attackers wouldn’t even need to request access to the camera. Instead, Checkmarx writes, “an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so” once it has storage permission. Worse yet, once the permission is granted, it doesn’t matter if a user closes the app as the connection has already been established, the researchers found.
To demonstrate the vulnerability, the team at Checkmarx recorded a proof-of-concept video. Using a mockup Weather app, the team was able to not only take photos and videos from a Pixel 2 XL and Pixel 3, but it also was able to glean GPS data from those photos. The team was able to detect when the phone was face down and could then remotely direct the rear camera to take photos and video. Another creepy bit is that attackers could potentially enact a “stealth mode,” where camera shutter noises are silenced and after taking photos, return the phone to its lock screen as nothing happened. But perhaps most disturbingly, the video demonstrates a scenario where attackers could start recording a video while someone was in the middle of a call, record two-way audio, and take photos or video of the victim’s surroundings—all without the target knowing.
The vulnerability wasn’t limited to the Google camera app, either. The researchers found they also impacted the Samsung camera app, as well as camera apps from many other smartphone vendors. That means the vulnerability potentially impacted hundreds of millions of phones.
Thankfully, the flaw has since been disclosed to both Google and Samsung. Google issued a patch for the flaw via a Play Store update back in July, and a patch was then distributed to all Android partners. Samsung also confirmed to Checkmarx that a fix had been released.
That’s all good, but it’s meaningless unless you actually update your phone. So if you’re on Android and have been putting off updates, you should absolutely go and make sure you’re running the latest version.