A recent report published by Israeli security research firm Checkmarx reveals that the camera app from Google and Samsung contains vulnerabilities, which, when exploited, could allow an attacker to gain complete control over the app even if the app’s permissions (for storage, location, etc.) are locked.
In a detailed report and video, the researchers at Checkmarx demonstrate that their mock-up app—a seemingly harmless weather app—was able to hijack the default camera app on a Google Pixel 2 XL running Android 9 Pie.
After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so. Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.
In doing so, our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call.
The video shows that Checkmarx’s app was able to record videos, take photos, bypass the camera app’s permissions, access stored media, and retrieve the user’s location through the media file’s GPS metadata.
The report mentions that this sort of a hijack is possible with Samsung’s camera app as well.
The report goes on to mention that Google responded by acknowledging the problem and informing Checkmarx that a fix had already been sent out in July earlier in the year.
“The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
In the video, the researchers also show a real-life scenario in which this sort of an attack could be dangerous to the user and their data. In the video, an attacker is seen making a call to the victim. When the victim places the phone against their ear, the attacker runs the mock-up hijack app to record video through the phone’s rear camera.
The recorded video captures the sensitive data that’s viewed on user’s external display, thus letting the attacker steal data using the hijack app.