2 min read

Millions of Android phones may be vulnerable to camera spying vulnerability

Graham CLULEY

November 20, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Millions of Android phones may be vulnerable to camera spying vulnerability

Security researchers have uncovered a vulnerability in Android smartphones that could allow an attacker to secretly take photos and record videos without any permissions being granted.

And the exploit works even if the phone is locked or the screen turned off, or even during an actual call – all without the knowledge of the user,

The researchers at Checkmarx discovered a way to circumvent the permission policy which normally provides a layer of protection for Android users from apps doing more than they should.

One of the scary aspects of this is that if a remote attacker managed to use the exploit to steal photos from your Android phone they could then examine the EXIF metadata embedded within the photos to locate your physical location.

As the researchers explained, central to the exploit was a vulnerability found in the camera apps pre-installed on millions of Android devices, known as CVE-2019-2234.

As a proof of concept demonstration, the researchers created a malicious weather app which did not request any special permissions beyond the basic storage access, and thus would be unlikely to appear suspicious or threatening to even the most cautious users.

When the app is run it creates a persistent connection back to a remote command-and-control (C&C) server, from where an attacker can send it instructions. According to the researchers, even closing the app does not terminate the connection.

But with their rogue app in place, the researchers were able to:

  • Take a photo on the victim”s phone and upload (retrieve) it to the C&C server
  • Record a video on the victim”s phone and upload (retrieve) it to the C&C server
  • Parse all of the latest photos for GPS tags and locate the phone on a global map
  • Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
  • Wait for a voice call and automatically record video from the victim’s side, and audio from both sides of the conversation.

A video published by the research team demonstrates them successfully exploiting the security hole on Google Pixel 2 XL and Pixel 3 devices.

The researchers responsibly disclosed details of the vulnerabilities to Google, and details of the high severity flaw were not made public until both Google and Samsung had released fixes earlier this year.

However, it seems very likely that there are still Android phones out there which remain unpatched, and do not have the latest security updates installed.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Crypto Exchange Finds Location Data on Hacker, Recovers Some Stolen Funds Crypto Exchange Finds Location Data on Hacker, Recovers Some Stolen Funds
Silviu STAHIE

October 04, 2022

2 min read
German Police Arrest Three People Accused of Running Massive Phishing Campaign German Police Arrest Three People Accused of Running Massive Phishing Campaign
Silviu STAHIE

October 03, 2022

1 min read
Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read