Android flaw lets rogue apps take photos, record video even if your phone is locked

Google and Samsung have confirmed the existence of security vulnerabilities which allow cyberattackers to hijack your phone camera and covertly take pictures or record video -- even if your device is locked.
On Tuesday, Erez Yalon, Director of Security Research at Checkmarx disclosed the bugs, tracked overall as CVE-2019-2234, which stem from permission bypass issues.
The team began an investigation of the security of our smartphones' camera capabilities by exploring the Google Camera app on a Google Pixel 2 XL and Pixel 3, leading to the discovery that they were able to tamper with particular actions and, overall, make it "possible for any application, without specific permissions, to control the Google Camera app."
This included taking photos and recording video, even if the target device was locked or the screen was turned off, or if the victim was in the middle of a phone call -- all of which are potential attack vectors that could lead to surveillance and a serious invasion of privacy.
Checkmarx says that other smartphone vendors making use of the Android operating system, namely Samsung, were also vulnerable. As a result, it is possible that hundreds of millions of end-users could have been susceptible to exploit. 
Google is strict when it comes to mobile applications obtaining access to sensitive information from camera, microphone, or location services. As a result, users must accept permission requests, but in Checkmarx's attack scenario, these requirements are bypassed. 
The Android camera application usually stores images and videos on an SD card, and so for apps to access this content, they require storage permissions. 
"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card," the researchers note. "There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it's one of the most common requested permissions observed."
It is this set of permissions that the team decided to use as an attack conduit. If a malicious app is granted access to an SD card, it was not only possible to access photos and videos, but the vulnerability ensured that the photo app could be forced to take new images and video content. 
"We could easily record the receiver's voice during the call and we could record the caller's voice as well," the researchers said. "This is not desired behavior, since the Google Camera app should not be allowed to be fully controlled by an external app, circumventing the camera/mic/GPS permissions that the user is trusting the Android OS to enforce."
To make matters worse, as GPS metadata is often recorded and embedded into images, an attacker could theoretically parse this data and gain knowledge of a user's whereabouts. 
A proof-of-concept (PoC) mock weather app has been designed to show that as long as there are basic storage permissions in place, this attack vector is possible. When opened, the app connects to a command-and-control (C2) server and waits for the operator to send commands to take and steal footage.
The PoC app is able to perform the following functions:
  • Take a photo on the victim's phone and upload it to the C2
  • Record a video on the victim's phone and upload it to the C2
  • Parse photos for GPS tags and locate the phone on a global map
  • Silence the phone while taking photos and recording videos
  • Wait for a voice call -- made possible through the phone's proximity sensor -- and automatically record video from the victim and audio from both sides
The vulnerability impacts all Google handsets, including those beyond the Pixel product line. 
Google was informed of the researchers' findings on July 4, 2019, and both the PoC app and an accompanying video were sent a day later. Feedback on Google's belief the security issue was only "moderate" later convinced the tech giant to bump up the issue to a "high" severity problem, and by August 1, Google registered the CVE and confirmed that other vendors were impacted. 
A fix was then released, leading to public disclosure.


Comments