Google flaw allowed hackers access to Android phones through camera
Issue made it possible for attackers to take photos or record video without owner's permission
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Google has confirmed that a flaw that allowed hackers to take control of Android phone cameras, microphones and GPS location without the owners’ permission has been fixed.
The flaw was identified by security firm Checkmarx, which found “multiple concerning vulnerabilities” in the Google Camera app that enabled them to spy on its users. The issue, which also affected Samsung, meant that “hundreds of millions of smartphone users” were at risk.
According to the firm, its team found that by “manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permission to do so”.
Checkmarx also found that certain scenarios enabled hackers to access stored videos and photos or see “GPS metadata embedded in photos” that would locate a user.
The firm was able to access these vulnerabilities using a mockup weather app that only required basic storage permission from an Android user. According to the firm, storage permissions are “very broad” and give access to the “entire SD card”.
“This means that a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken. Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user,” the security team wrote on its website. “Of course, a video also contains sound. It was interesting to prove that a video could be initiated during a voice call. We could easily record the receiver’s voice during the call and we could record the caller’s voice as well.”
The full vulnerabilities included the ability for an attacker to: “take a photo on the victim’s phone and upload (retrieve) it to the C&C server, record a video on the victim’s phone and upload (retrieve) it to the C&C server, parse all of the latest photos for GPS tags and locate the phone on a global map, operate in stealth mode whereby the phone is silenced while taking photos and recording videos and wait for a voice call and automatically record: video from the victim’s side and audio from both sides of the conversation”.
After identifying the flaw, the firm notified Google, which, after researching the report, found that the vulnerabilities were “not specific to the Pixel product line” and that “the impact was much greater and extended into the broader Android ecosystem”.
The tech giant has since fixed the vulnerabilities and thanked the security firm for identifying the issue.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson said. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Samsung has also released patches to fix the issue since it was discovered, CNN reports.
According to Checkmarx, the research was part of the company’s “ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based smartphones and IoT devices, while bringing more security awareness amid the consumers who purchase and use them.”
“Protecting privacy of consumers must be a priority for all of us in today’s increasingly connected world,” the company concluded.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments