Android camera apps from Google and Samsung were flawed and left users vulnerable as their smartphone’s camera could be used to click images or record audio and video without needing any permission from the user even if the phone is locked or the screen is turned off. This data can then also be uploaded to a remote server controlled by the attacker.
In addition, researchers at Checkmarx also found out that the vulnerabilities (CVE-2019-2234) in these camera apps from Google, Samsung as well as other Android-based OEMs could allow an attacker to use a rogue app to circumvent storage permissions and gain access to photos and videos stored in the device as well as extract Exif data including GPS metadata from those media files.
It was also found that the video and audio recording could also be done when the user is on a call, which means that both the caller and user’s voice can be recorded as well using this vulnerability.
The researchers first tested the vulnerability on the Google Camera app on Pixel 2 XL and Pixel 3 and found out that Android’s permission system could be bypassed to access the camera as well as storage. They also found the same on Samsung devices, which means that hundreds of millions of users are affected by this vulnerability. The researchers notified Google about the vulnerability, who elaborated that the impact of this flaw extended much further than Pixel devices and to the Android ecosystem. Samsung acknowledged the flaw too.
In response to the vulnerabilities found in their camera app, Google said, “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Google was notified about the vulnerability on July 4, 2019, who then confirmed the flaw on August 1, 2019. Other Android manufacturers were contacted on August 18, 2019, and Samsung confirmed the vulnerability in their device too on August 29, 2019. However, the researchers haven’t mentioned if or when Samsung released an update fixing the vulnerability.
“Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly,” Samsung said, as first reported by Dan Goodin for Ars Technica.
Is your phone still affected by this vulnerability?
As mentioned by Google in their statement, a patch was issued via a Play Store update to the Google Camera application in July 2019. So, if you’re running an updated Google Camera app, you should be fine. As for other Android devices, unless and until your device manufacturer keeps rolling out security patches and you’re on the latest November Android security patch, there should be nothing to worry about.
That said, still, a majority of Android manufacturers lag on security updates, which are essential to keep your smartphone secure. So, if your smartphone isn’t getting updates anymore, you might want to consider switching to a manufacturer or device that gets regular patches and updates. If you’re looking for a new device that gets updated regularly, you should check out the Android One devices from several manufacturers including Nokia, Motorola and Xiaomi, that gets updated every month and come with a promise of two further major OS updates.