Aurich Lawson / Getty

Until recently, weaknesses in Android camera apps from Google and Samsung made it possible for rogue apps to record video and audio and create images and then upload them to a server managed by an attacker – without any permission to do so. to do. Camera apps from other manufacturers can still be sensitive.

The weakness, discovered by investigators from security firm Checkmarx, posed a potential privacy risk for valuable goals, such as those that have been sped by nation-sponsored spies. Google has carefully designed its Android operating system to prevent apps from accessing cameras and microphones without explicit permission from end users. A study published Tuesday showed that it was trivial to get around those limitations. The research showed that an app did not need permissions at all to allow the camera to take photos and record video and audio. To upload the images and video (or other images and videos stored on the phone) to an attacker-managed server, an app only needed permission to access storage, which is one of the most common usage rights is.

The weakness, which is tracked as CVE-2019-2234, also allowed attackers to track the physical location of the device, assuming that GPS data was embedded in images or videos. Google closed the bug hole in its Pixel line of devices with a camera update that became available in July. Checkmarx said that Samsung also solved the vulnerability, although it was not clear when that happened. Checkmarx said that Google has indicated that Android phones from other manufacturers can also be vulnerable. The specific makers and models were not disclosed.

“The possibility for an application to retrieve input from the camera, microphone and GPS location is considered by Google itself to be very invasive,” wrote Checkmarx, director of Security Research, Erez Yalon in Tuesday’s analysis. “As a result, AOSP has created a specific set of permissions that an application must request from the user.”

To demonstrate the risk, Checkmarx developed a proof-of-concept rogue app that exploited the weakness. It presented itself as a simple weather app. Inside were hidden functions that:

  • Take photos and record videos even when the phone was locked, the screen was off, or the app was closed
  • Retrieve GPS data embedded in every photo or video stored on the phone
  • Listen to and record two-way phone calls and record video or take photos at the same time
  • Stop the camera shutter to make it harder to detect espionage
  • Transfer any photo or video stored on the phone to an attacker-managed server
  • List and download any JPG image or MP4 video stored on the SD card of the phone

An attack would not be completely covert. The screen of an operated device would display the camera while recording video or taking a photo. That would be a tip for anyone who looked at the handset when the attack was made. However, the attack could capture video, sound, and images when the phone’s display was out of sight, such as when the device was placed with the screen down. The app could use the proximity sensor to determine when the device is facing down.

The PoC app from Checkmarx was also able to use the proximity sensor of a telephone to detect when it was held against the ear of a target, as often happens during telephone conversations. The app could record both sides of the conversation. It can also record video or take photos, a handy option in case the back of the phone was facing a whiteboard or something else that was important to an attacker. The Checkmarx report contains a video that shows the possibilities of the PoC app.

In a statement, Google officials wrote: “We appreciate that Checkmarx brings this to our attention and works with Google and Android partners to coordinate disclosure. The issue was addressed on affected Google devices via a Play Store update for the Google Camera application in July 2019. A patch has also been made available to all partners. “

Samsung officials wrote: “Since Google has informed us of this issue, we have subsequently released patches for all Samsung device models that could be affected. We appreciate our collaboration with the Android team that enabled us to address this issue directly identify and address. “

The statement did not state when Samsung released the fix or how Samsung customers can check whether the patch has been installed.

Checkmarx said that Google has indicated privately that other manufacturers of Android phones besides Samsung may also be vulnerable. The statement from Google did not immediately confirm this or said that other manufacturers have installed an update.

In an email, Ymar from Checkmarx said it was not clear why apps could access the camera without the user’s consent. He speculated that the weakness may be due to Google causing the camera to work with the voice-assisted Google Assistant and other manufacturers that follow.

Users of Pixel phones can confirm that they are not vulnerable by opening Apps and Notifications in the settings menu and choosing Camera> Advanced> and App Details. The screen should show that the app has been updated since July (and ideally much later than that).

Checking whether other Android phones are sensitive will be difficult for most users. Those who are technically skilled can execute the following command:

$ adb shell am start activity -n
com.google.android.GoogleCamera / com.android.camera.CameraActivity –ez
extra_turn_screen_on true -a android.media.action.VIDEO_CAMERA –ez
android.intent.extra.USE_FRONT_CAMERA true

The above command forces the phone to make video. The following command forces the phone to take a photo:

$ adb shell am start activity -n
com.google.android.GoogleCamera / com.android.camera.CameraActivity –ez
extra_turn_screen_on true -a android.media.action.STILL_IMAGE_CAMERA –
-ez android.intent.extra.USE_FRONT_CAMERA true –ei
android.intent.extra.TIMER_DURATION_SECONDS 3

The skill and luck needed to make the attack work reliably and without detection is high enough that this type of exploit is unlikely to be used against the vast majority of Android users. Yet the ease of getting malicious apps into the Google Play Store suggests that it would not be difficult for a determined and sophisticated attacker to do such a thing. No wonder telephones and other electronics are excluded from SCIFs and other sensitive environments.

Similar Posts

Leave a Reply