Android Phone users anxious over Google Camera Bug!

Friday, 22 Nov, 2019

Moreover, Checkmarx is still looking for other android apps that may be vulnerble to the flaw other than Google and Samsung camera apps.

The team at Checkmarx found this vulnerability to be present in both the Google Camera and Samsung Camera apps, as well as camera apps from other smartphone makers. An unprotected intent in this context means that the receiving app is not checking if the app sending the intent has the requisite permission to undertake the action itself - android.permission.CAMERA in this case. "This same technique also applied to Samsung's Camera app".

This Android vulnerability allowed hackers to take control of the smartphone's camera and use it to capture photos and record videos as well.

What makes it worse is that Global Positioning System metadata is often embedded into images, so an attacker can basically parse this data to track a user's location as well.

The malicious app which is misusing the CVE-2019-2234 vulnerability works under the only condition - it requires to provide access to the SD card but this does not usually create any concerns as it is typical permission asked by numerous other apps. Updating your Android OS and camera app to the latest version is always advisable, as is auditing the applications you're using to see what permissions you've given them, and asking whether you're really ok with that dodgy flashlight or fart app with no reviews having full access to your SD card.

An attacker can control the app to take photos and/or record videos, including a voice call, through a rogue application that has no permission. Thanks to a bug found in Google's, Samsung's, and other OEM's camera apps, an nearly inconspicuous app can secretly spy on the owner using their own phone's cameras.

Even Google confirmed the existence of vulnerabilities and released a fix for the same.

To show how unsafe this vulnerability is, Checkmarx developed a "proof of concept" app that required no special permissions outside of the aforementioned storage permission. The vulnerability can even let the bad guys take a snap or record videos and audio even when the device screen is locked.

No stranger to safety loopholes, Android designers labored onerous to bar apps from accessing cameras and mics, until customers give specific permission by ticking corresponding containers within the working system's properties.

The company shared that they made a Play Store update to the Google Camera Application which resolves the issue in July 2019. And while taping over the cameras will at least close off one potential avenue of attack, there's no way to prevent call recording without also preventing your own ability to make and receive calls.