Android camera app has a vulnerability that affects millions of devices. The affected Android devices could allow other apps to record video, take pictures and even extra GPS data from media files without the need for required permissions. The vulnerability is being disclosed by researchers from Checkmarx in coordination with Google and Samsung. The researchers note that this vulnerability affects camera applications from Google and the Korean company. It allows apps to take pictures, record videos or even get location data without the need for special permissions.
This Android Bug Affects Camera Applications
The vulnerability is registered as CVE-2019-2234 and it affects Google Camera and Samsung Camera apps not updated since before July 2019. Bleeping Computer reports that Checkmarx researchers discovered numerous “intents that could be combined to manipulate the device’s camera.” This is done in order to take pictures and record video. In order to record video, take pictures or detect location, an app needs following permissions: android.permission.CAMERA, android.permission.RECORD_AUDIO, android.permission.ACCESS_FINE_LOCATION, and android.permission.ACCESS_COARSE_LOCATION.
The researchers also note that apps with ‘Storage’ permission also got the ability to use the camera application. “A malicious app running on an Android smartphone that can read the SD card, not only has access to past photos and videos, but with this new attack methodology, can be directed to initiate (take) new photos and videos at will,” the researchers note. “And it doesn’t stop there. Since GPS metadata is usually embedded into the photos, the attacker can take advantage of this fact to also locate the user by taking a photo or video and parsing the proper EXIF data.”
This behavior is harmful because a number of applications in Android frequently ask for the storage permissions. In its report, Checkmarx notes that storage permission is one of the most commonly requested permission on Android smartphones. “There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it’s one of the most common requested permissions observed.”
The researchers also managed to create a proof-of-concept app that pretends to be a weather app. But it quietly sends a picture, video and phone call recordings to its command center. The researchers reported this vulnerability to Google on July 4, 2019 and the search giant elevated it to ‘High’ priority by July 23. The vulnerability was confirmed was Google on August 1 and later that month, it was determined that Samsung’s Camera app is also affected. The vulnerability, according to Google, was fixed in July 2019 via a Google Play Store update. The patch was also issued to other vendors. The researchers note that all Android users must upgrade to latest camera app to stay safe.