A security flaw in Android’s operating system has been recently discovered by security researchers. The new bug, found in the Camera apps of Android devices, reportedly enables cyberattackers to hijack a user’s phone camera without the owner’s permission.
The flaw, termed as CVE-2019-2234, was first identified by the cybersecurity firm Checkmarx in July. However, findings of the team were only published on Tuesday, Nov 19.
According to them, the investigation began by exploring the Google Camera app on a Google Pixel 2 XL and Pixel 3. From there, researchers were able to discover that the camera app can be manipulated through numerous courses of action. This makes it “possible for any application, without specific permissions, to control the Google Camera app.”
Among the things cyberattackers could do include recording videos, taking pictures, and extracting GPS data without the permission of the device’s owner.
“A malicious app running on an Android smartphone that can read the SD card, not only has access to past photos and videos but with this new attack methodology, can be directed to initiate (take) new photos and videos at will,” the researchers wrote. “And it doesn’t stop there. Since GPS metadata is usually embedded into the photos, the attacker can take advantage of this fact to also locate the user by taking a photo or video and parsing the proper EXIF data.”
In their report, the team also revealed they could easily record the receiver’s voice as well as record it during the call test.
“This is not desired behavior, since the Google Camera app should not be allowed to be fully controlled by an external app, circumventing the camera/mic/GPS permissions that the user is trusting the Android OS to enforce,” they added.
In a report from Business Insider, a spokesperson from Google said the company has already released patches to resolve the security issue ever since the researches notified them last June.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” the spokesperson wrote in an email. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
In the same source, a Samsung spokesperson also revealed that the company has already patched the flaw in their devices.
“We recommend that all users keep their devices updated with the latest software to ensure the highest level of protection possible,” the spokesperson added.