A vulnerability has been identified in the Google Camera and Samsung Camera apps that is easy to exploit and would allow an attacker to take photos on a vulnerable device, record video, obtain the location of the device, record conversations, access stored images and videos, and silence the shutter sound to ensure the user is unaware that pictures are being taken. All recorded information could then be transferred to the attacker’s C2 server through the always-on connection. Images and video could also be recorded while the smartphone is locked.
To exploit the vulnerability, a malicious app would need to be downloaded. That app would only require storage permissions, so it would be unlikely to be viewed as suspicious. Storage access is the most common permission, and one that is required by virtually all apps.
The researchers developed a proof-of-concept exploit and were able to demonstrate, via a weather app, how easy the flaw could be exploited. The app also monitored the proximity sensor and would start recording audio when the phone was placed next to the ear, and since GPS metadata is often embedded into photos, when a photo is taken the attacker would discover the user’s location.
The reason why only storage permissions were required, was it was possible just with access to the SD card to exploit the vulnerability in the Camera app and gain additional permissions.
The vulnerability was identified by researchers at Checkmarx, who disclosed the flaw to Google and Samsung. Initially, the flaw was rated as moderate severity by Google, although this was upgraded to high severity when Checkmarx researchers provided further information on the flaw.
The vulnerability was assigned CVE-2019-2234 and Google released an update via the Play Store to correct the Google Camera application in July 2019. The patch has also been pushed out to all affected partners. The vulnerability was estimated to affect hundreds of millions of Android users. Checkmarx waited until the updates had been released before announcing the flaw. Users who have not updated their camera app since July 2019 will still be vulnerable.
Android users should ensure they are running the latest version of the operating system and that the Camera app is updated.