Researchers at Checkmarx say they have discovered vulnerabilities in Google and Samsung smartphone apps that could allow hackers to remotely spy on users using their phone’s camera and speakers.
The proof-of-concept (PoC) study results, highlighted on the Checkmarx blog reveal how the Checkmarx Security Research Team cracked into the apps that control android phone cameras (firstly using a Google Pixel 2 XL and Pixel 3) in order to identify potential abuse scenarios.
The team reported finding “multiple concerning vulnerabilities” (CVE-2019-2234) which stemmed from “permission bypass issues”. The team later found that camera apps from other vendors i.e. Samsung are also affected by the same vulnerabilities.
The Checkmarx team have since shared a technical report of their findings with Google, Samsung, and other Android-based smartphone OEMs to enable those companies to find fixes.
What Could Happen?
According to Checkmarx, the vulnerabilities mean that a hacker could use a rogue application (that has no authorised permissions) to take control of another person’s Android phone camera app. This could allow the attacker to take photos and/or record videos as well as to gain access stored videos and photos, GPS metadata embedded in photos, and even to locate the user by taking a photo or video and parsing the proper EXIF data.
The researchers also found a way to enable a rogue app to force camera apps to take photos and record video even when a phone was locked or the screen is turned off, or when a user was is in the middle of a voice call.
One particularly worrying aspect of the Checkmarx findings is that if the video can be initiated during a voice call the receiver and the caller’s voices can be recorded. This could allow eavesdropping that could enable an attacker to discover potentially sensitive personal data or to gather information that could be used for extortion.
According to Checkmarx, after they shared their findings with Google, the Checkmarx team were notified by Google that the vulnerabilities weren’t confined to the Google Pixel product line but also extended to products (Android) by other manufacturers. For example, Samsung also reportedly acknowledged that the flaws impact their Camera apps and said that they had begun taking mitigating steps. Checkmarx reports that Google has said that the problem has now been addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. Also, a patch has been made available to all Google partners.
What Does This Mean For Your Business?
It is very worrying that hundreds-of-millions of smartphone users may have been facing a serious privacy and security risk without being aware of it. For business users, this may have left them open to industrial espionage and security threats, although there is no evidence that real hackers have exploited the vulnerabilities prior to them coming to light.
When it comes to smartphone apps, the best practice is to ensure that all apps on your device are kept updated. Other defensive actions you can take regarding your phone apps include checking the publisher of an app, checking which permissions the app requests when you install it, and deleting any apps from your phone that you no longer use. It’s also now important to be aware of the threat posed by fake apps, and you may wish to contact your phone’s service provider or visit the high street store if you think you’ve downloaded a fake malicious/suspect app.