Erez Yalon, information security specialist at Checkmarx company, talked about the discovery of a number of camera problems in smartphones, which are generally tracked under the identifier CVE-2019-2234 and are associated with bypass permissions in Android. Google and Samsung hastened to fix a bug that allowed applications to monitor users through the camera.[dropcap]A[/dropcap]nalyzing the security of the Google Camera application on Google Pixel 2 XL and Pixel 3 devices, the researcher found that Google Camera could be used by any other application, even if it does not have special permissions for this. Among other things, it turned out to be possible to take photos and record videos, even when the target device is locked, the screen is turned off, and the victim is talking by phone. Of course, all this could be used to spy on unsuspecting users.
As it soon became clear, the problems affected not only Google devices, but also Samsung products, that is, it affected about hundreds of millions of users.
“Under one identifier several bugs were combined at once“, – explains Erez Yalon.
So, the root of the problem is that usually the camera application in Android stores images and videos on an SD card, and access to this content by other applications requires appropriate permissions. However, access to the card, one of the most requested permissions in general, and such rights, unfortunately, are very wide and provide access to the entire SD card immediately.
As a result, if a malicious application was granted access to an SD card, it would not only gain access to photographs and videos already stored there, but could also exploit a gap to capture new photo and video content.
“We easily managed to record the voice of the subscriber during the conversation, and also could record the voice of the caller. This is an undesirable behavior, since the Google Camera application should not completely fall under the control of external applications, bypassing the resolutions for the camera, microphone, GPS”, – say the researchers.
As a PoC, the experts created a special application for checking the weather, designed in such a way as to demonstrate possibility of an attack with only basic permissions to access the store. After launch, this application was connected to the control server and expected operator commands to take photos and videos, as well as theft of footage. The expert PoC application could:
- take a photo on the victim’s phone and upload it to the management server;
- record video and upload to the management server;
- sort photos by GPS tags and find the device on the map;
- mute the sound during photography and video recording;
- Wait for a voice call (relying on the proximity sensor), and then automatically record the victim’s video and audio of both participants in the call.
Google engineers were informed of the problem as early as July 4, 2019 by providing them with a PoC application and accompanying video. However, at first Google employees considered the vulnerability to be moderate, and only later agreed that the breach should still be classified as a high severity problem. As a result, on August 1 of this year, Google registered CVE and confirmed that the vulnerability also applies to products of other vendors.[box]Now Google reports that last summer the problem was resolved through an update for the Google Camera application through the Play Store, and the patch became available for all partners of the company. Samsung representatives also confirmed that they have already released fixes for all models of vulnerable devices.[/box]