With the Pegasus spyware episode still fresh in our minds, there’s another worrying development which has been reportedly confirmed by Google this week.
It has been found that the camera app on Android devices, notably the Google Pixel and Samsung Galaxy series, have a security vulnerability that allowed anybody to snoop into your camera and start recording a video without the user’s knowledge.
This damning assessment has been made by researchers at Checkmarx, who claim that both Google and Samsung have confirmed these loopholes and said to have fixed them in the past few weeks, even though the security issues were first sent way back in July this year.
Cameras are a powerful tool for capturing visuals but these apps operate in the background, and nobody has a clue as to what kind of data is accessed and what they do with it. To ascertain its claims, the researchers decided to test the camera apps on Pixel 2 XL and 3 devices, which is when they came across the issues at hand.
And eventually they were able to confirm that camera apps of other phone makers in the Android ecosystem were also affected. The vulnerability called CVE-2019-2234 was reported to Google as well as other phone makers with a proof of concept video.
What’s the Issue?
During their tests, the researchers found that an attacker could take control of the camera app, take photos or record videos without needing permission clearance from the user and even if the phone was locked or screen turned off.
In fact, what’ll concern you even more is that a hacker could also gain permission access to your phone’s storage, which allows them to know your current location. They also found it perplexing that asking for storage permission was easier than it should be, especially for apps which has no business using those feature in the first place.
Threat For Users
To prove its case, Checkmarx demonstrated the issue through a video, where all of the issues were picked and tested through a rogue app. The resulting concerns meant they were able to penetrate into the user’s device, take photos, record video, discreetly record audio and video calls.
“When the vulnerabilities were first discovered, our research team ensured that they could reproduce the process of easily exploiting them. Once that was confirmed, the Checkmarx research team responsibly notified Google of their findings.”Checkmarx report
After doing its due-diligence, Google confirmed that vulnerabilities and started working on a patch to fix the issue with the app. It also even mentioned the following through its statement:
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”Google response to Checkmarx
Eventually, both Google and Samsung joined forces with Checkmarx to fix the issues, and all three parties decided to publish the report, only after the fix was released and confirmed by the phone makers.
This is the second worrying report to have come out this week.
Previously we had mentioned that security researchers have found that pre-loaded apps on Android phones have security issues, and this latest development only raises concerns for the normal user, who has no clue about these vulnerabilities and could at anytime become a victim to cyber attacks.
As for the user, they can only keep their phone and apps updated, and not allow basic apps to access your camera or record audio.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)