Android camera bug could have turned phones against their users

Android users beware: rogue apps could be using your phone’s camera against you, taking pictures and videos without your knowledge and sending them to attackers. They could even record your phone calls and make others aware of your location.

News of the vulnerability, which affects the Android camera app used by millions of Google Pixel and Samsung Android users, comes courtesy of application security testing company Checkmarx which has been working with Google and Samsung to fix it. The company’s researchers figured out a way to hijack the camera on Android phones using a permission bypass vulnerability.

Aware that access to camera functions is highly sensitive, Google created a special set of permissions that the user would have to grant to an application before it could use the phone’s camera. These permissions are:

  • android.permission.CAMERA
  • android.permission.RECORD_AUDIO
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.ACCESS_COARSE_LOCATION

The vulnerability that Checkmarx discovered enables apps to bypass the need for those permissions as long as they have storage permissions that enable an application to access the SD card. In a report on the vulnerability, the company explained:

An application that has access to storage not only has access to past photos and videos (which it already had, by permission design, nothing new there), but also has a way to access newly taken photos and videos by abusing the Google Camera app exported components.

This means an app with SD card permissions gets access to the user’s phone, which enables an attacker to turn the camera into a remotely-controlled sensor:

By manipulating the specific actions and intents, an attacker can now control the Google Camera app to take photos and/or record videos through a rogue application that has no permissions to do so.

Certain conditions on the phone could enable them to harvest more data still, the report continued. If the phone’s location data settings embedded location information in the photos’ EXIF metadata, they could access that data and find out where the photos were taken (and therefore where the user has been).

The attack can use the phone’s front or back camera, and can also operate in stealth mode while the lock screen is on.

The team tested out the vulnerabilities by creating their own weather app, which bypassed permissions so that it could take photos and videos. The software had two parts: a client residing on the phone communicated with a back-end command and control (C2) server that enabled the researchers to control its activities on the victim’s phone.

Using the app, the researchers not only took videos and photos with geolocation information but also recorded both sides of a phone conversation, all without the user’s knowledge. The company produced a video detailing the project and outlining some real-world attack scenarios:

Google assigned the vulnerability a ‘moderate’ rating after Checkmarx’s first report in July but subsequently raised it to ‘high’. Then, late that month it agreed with the researchers that the bug might affect other Android OEMs. Samsung confirmed that its phones were subject to the flaw in August.

Both of these vendors have fixed the problem in their own implementations of the Android camera app. Google rolled out the fix in July this year to the Google Play store. Updating your Android OS and camera app to the latest version is always advisable, as is auditing the applications you’re using to see what permissions you’ve given them, and asking whether you’re really ok with that dodgy flashlight or fart app with no reviews having full access to your SD card.