MobileNews

Android flaw allowed apps to take and upload pictures, some devices still vulnerable

A recently-revealed flaw that affected all Android devices at one point allowed attacker applications to take pictures and upload them to servers without user permission. Thankfully, this Android camera flaw has been patched on some devices.

Detailed by (via ), this issue allowed apps to use the camera to take photos without user permission.

For quite some time – since Marshmallow – Android has used pop-ups to allow permissions for apps including the ability to access the camera. To get around that, this method used the camera application already on the device. Both the Google Camera app on Pixels and the Samsung Camera app were proved vulnerable.

Using this method, the vulnerable camera apps would take a photo which the malicious app could then see the EXIF and GPS data on to even determine the user’s location. The photos could also be uploaded to a remote server.

Of course, for this, the app would need to be given storage access by the user, but that is one of the most commonly provided permissions. Since the app is controlling other camera apps on the device, the attack also can’t take place while the user is looking at the device since it would be an obvious giveaway.

With a proof of concept app, was able to take a picture while the app was closed and the screen was off, pull the GPS data from that photo, eavesdrop on a two-way phone call, silence the camera shutter, transfer those photos and videos to an external server, and pull the images and videos already stored on the phone. The app also used the proximity sensor to know when it was placed face-down to as a way to avoid the user seeing the attack in progress.

Luckily, Google and Samsung have both fixed these issues on their camera apps. This Android flaw was fixed in the Google Camera app on Pixel devices back in July when the issue was first reported while Samsung patched the issue at a later date. Google says:

We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.

Android partners have access to a patch for this issue as Google has said, but it’s unclear if all partners have adopted it. All Pixel and Galaxy smartphones are immune at this point but Google implied to that some of its partners have yet to fix the issue. The company has not publicly confirmed this or mentioned who that might include, though.


Check out the latest Samsung phones at great prices from Gizmofashion – our recommended retail partner.


Author: Ben Schoon
Source: 9TO5Google

Related posts
AI & RoboticsNews

Nvidia and DataStax just made generative AI smarter and leaner — here’s how

AI & RoboticsNews

OpenAI opens up its most powerful model, o1, to third-party developers

AI & RoboticsNews

UAE’s Falcon 3 challenges open-source leaders amid surging demand for small AI models

DefenseNews

Army, Navy conduct key hypersonic missile test

Sign up for our Newsletter and
stay informed!