If you are connected to the Internet, someone out there is going to try to gain access to your information without your permission. Just this week reports surfaced of a vulnerability on WhatsApp.
Last week it was Facebook on iOS. Now, Google apps.
The latest threat targets Android users and it gives hackers access to personal data via the Google camera app on Android devices. We have the Checkmarx Security Research Team to thank for the latest report.
How Checkmarx uncovered the vulnerabilities
Armed with a Google Pixel 2 XL and a Pixel 3, the team researched the camera and uncovered “multiple concerning vulnerabilities stemming from ‘permission bypass issues.’” They explain:
“After further digging, we also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem – namely Samsung – presenting significant implications to hundreds-of-millions of smartphone users.”
The latest threat – classified as CVE-2019-2234 – allows hackers to control a user’s camera app. By doing that, they can take photos and record videos by circumventing the device’s security permissions.
“We found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.”
What exactly does this mean?
Well, if hackers can control an app remotely, and in so doing gain access to your gallery, camera, microphone, and GPS location, it’s pretty serious.
And it has severe real-world consequences. Not only can they listen in on your life, but also pinpoint your exact location. Or rather, your location to a radius of 10 metres.
Most Android camera applications usually store the photos and videos on the SD card. Since photos and videos are sensitive user information, in order for an application to access them, it needs special storage permissions.
Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card.
There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. But hackers would have an interest in that type of information.
A worst-case scenario
To drive the point home of exactly how dangerous this latest breach is, the research team “designed and implemented a proof-of-concept app that doesn’t require any special permission beyond the basic storage permission.”
The malicious app designed for the demonstration was a simple weather app that could “create a persistent connection back to the C&C server and wait for commands from the attacker from anywhere in the world.”
Closing the app wouldn’t terminate the persistent connection and the C&C console was able to assess which other devices are connected to the target phone.
Through the fake weather app, the research team could perform the following actions:
- Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
- Record a video on the victim’s phone and upload (retrieve) it to the C&C server
- Parse all of the latest photos for GPS tags and locate the phone on a global map
- Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
- Wait for a voice call and automatically record:
- Video from the victim’s side
- Audio from both sides of the conversation
The team worked closely with Google and Samsung to uncover the vulnerabilities, and remarked that the “professionalism shown by both Google and Samsung does not go unnoticed.”
Google, in turn, appreciated the efforts of Checkmarx team and confirmed that the issue had been addressed:
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”