Vulnerabilities in Android Camera Apps Exposed Millions of Users to Spying

Vulnerabilities discovered by researchers in the Android camera apps provided by Google and Samsung could have been exploited by malicious actors to spy on hundreds of millions of users.


Cybersecurity firm Checkmarx reported on Tuesday that its researchers have found a way to abuse Android camera applications to conduct a wide range of spying activities, including taking photos, recording videos, tracking a user’s location, and recording voice calls.


The attack was possible due to a series of vulnerabilities collectively tracked as CVE-2019-2234. The research was conducted on Google’s Pixel phones, but it was later discovered that the camera application on Samsung smartphones was affected as well.


The vulnerabilities allowed a malicious application installed on the targeted device to take control of the camera app present on Google and Samsung devices and spy on users without requiring any special permissions.


Checkmarx demonstrated the impact of the vulnerabilities by creating a fake weather application that only requires storage permissions. Exploitation of the camera app vulnerabilities and having storage permissions allowed the malicious application to take a photo using the victim’s camera, record a video, and record both sides of a voice call. The app could also upload the photos, videos and voice call recordings to the attacker’s server, extract location data from photos to track the victim, and mute the phone in an effort to operate in stealth mode.


The weather app created a persistent connection to the attacker’s server, which would not be terminated when the fake application was closed, thus allowing the hacker to continue spying on the victim.


Normally, an application would have to request camera, microphone, location and storage permissions to be able to perform these activities, but CVE-2019-2234 made ..

Support the originator by clicking the read the rest link below.