The open-source nature of Android has always been one of its best advantages. However, it is a double-edged sword as it often results in security holes the size of a football field. Security research firm Checkmarx made an alarming discovery that affected several Google and Samsung smartphones. The vulnerability allowed hackers to take control of smartphone camera apps, covertly take photos, record videos, record your conversations, identify your location, and more.
Google and Samsung camera apps responsible
Researchers stumbled upon the vulnerability in the Google camera app on the Pixel 2XL and Pixel 3. It let attackers control the Google Camera and Samsung Camera app using an application without granting it any special permissions. A user only had to grant it permission to access the storage, allowing it access to the contents of the internal memory and SD card.
As a proof of concept, Checkmarx demonstrated the vulnerability by creating a faux weather app that only requested access to the on-device storage. Much like other shady apps, this one also employs a two-pronged strategy. The app in itself is harmless and doesn't trigger Google Play Protect. Once you've installed it, the app establishes a connection with a remote server and waits for further instructions. Closing the app does not close the connection to the server, allowing the attacker issue commands at whim. Once that's done, here's what an attacker can do with your smartphone:
- Capture photos and videos using the smartphone camera and upload them to a remote server. All of this is possible without alerting the user, as the camera shutter sounds are muted.
- Determine when the user is on a call using the devices' proximity sensor and record audio of both the sender and receiver.
- Record video of the user at the same time as capturing audio during a phone call.
- Get unrestricted access to all on-device photos and videos.
- Capture GPS tags from all on-device photos. It only works when the user has it enabled via the camera app. The data can then be used to create a map of the user's location history.
- All of this is possible even if the device is locked.
Google and Samsung didn't publicly acknowledge the vulnerability until late August
Checkmarx disclosed the vulnerability to Google in July this year. Google initially set the severity of the vulnerability as moderate and it was raised to high following additional feedback from Checkmarx. In August, Google acknowledged that it affected a wide range of OEMs who were notified about it shortly after. Here's the complete timeline of how it all unfolded, according to Checkmarx:
- Jul 4, 2019 – Submitted a vulnerability report to Android’s Security team at Google
- Jul 4, 2019 – Google confirmed receiving the report
- Jul 4, 2019 – A PoC “malicious app” was sent to Google
- Jul 5, 2019 – A PoC video of an attack scenario was sent to Google
- Jul 13, 2019 – Google set the severity of the finding as “Moderate”
- Jul 18, 2019 – Sent further feedback to Google
- Jul 23, 2019 – Google raised the severity of the finding to “High”
- Aug 1, 2019 – Google confirms our suspicion that the vulnerabilities may affect other Android smartphone vendors and issues CVE-2019-2234
- Aug 18, 2019 – Multiple vendors were contacted regarding the vulnerabilities
- Aug 29, 2019 – Samsung confirmed they are affected
- Nov 2019 – Both Google and Samsung approved the publication
Google says that the issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. The company also issued a patch to all affected OEMs in the same month. As of now, the issue appears to be fixed, but there's no telling just how many users lose their data as a result.