Researchers at security firm Checkmarx have uncovered several vulnerabilities in the camera apps of multiple Android smartphone made by Original Equipment Manufacturers (OEM) such as Google and Samsung.
As Checkmarx Senior Security Researcher Pedro Umbelino explains, the team started their investigation by having a look at the Google Camera app on Pixel 2 XL and Pixel 3 handsets. They found multiple vulnerabilities relating to “permission bypass issues” which could allow an attacker to use the app to take photos and record videos via a rogue app.
Attacks are even possible when a victim’s phone is locked, the screen is off and during voice calls. To demonstrate the various vulnerabilities, the team at Checkmarx designed a proof-of-concept app meant to look like an ordinary weather app. With it, they were successfully able to snap photos and videos without a user’s knowledge, grab GPS data from photos and even record audio from both sides of a conversation during voice calls. Check the demonstration below:
The Checkmarx team notified Google of their findings, who then confirmed that the issue wasn’t limited to their camera app but rather, extended into the general Android ecosystem.
Google and other OEMs have since fixed the vulnerability but you will need to make sure you are running the latest app updates to mitigate your vulnerability. As a general best practice, make sure you have the latest updates for each and every app on your mobile device.
Image credit: FirstPost