Researchers from Checkmarx Security Research Team has discovered and disclosed a vulnerability [2] in Android camera app that may allows a malicious app to bypass camera access permissions.



How it works?

Android camera applications usually store their photos and videos on the SD card: in order to access SD card, it needs a permissions called "storage permissions" [3].
Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card.
This means that a malicious application can require access to storage, and grab photos and/or videos without specific camera permissions.
Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user.

Researchers from Checkmarx discovered that, manipulating specific actions and intents through a malicious application, an attacker can control the Google Camera app and take photos and/or record videos with no permissions to do so [1].
The same technique can also used on Samsung’s Camera app.

The PoC

Research team realized a PoC, creating a client-part that represents a malicious app running on an Android device, and a server-part that represents an attacker’s command-and-control (C&C) server:

The malicious app we designed for the demonstration was nothing more than a mockup weather app that could have been malicious by design. When the client starts the app, it essentially creates a persistent connection back to the C&C server and waits for commands and instructions from the attacker, who is operating the C&C server’s console from anywhere in the world. Even closing the app does not terminate the persistent connection.

The operator of the C&C console can see which devices are connected to it, and perform the following actions (among others):

  • Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
  • Record a video on the victim’s phone and upload (retrieve) it to the C&C server
  • Parse all of the latest photos for GPS tags and locate the phone on a global map
  • Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
  • Wait for a voice call and automatically record:
    • Video from the victim’s side
    • Audio from both sides of the conversation

Note: The wait for a voice call was implemented via the phone’s proximity sensor that can sense when the phone is held to the victim’s ear.

Checkmarx also released an interesting video of the PoC:

https://youtu.be/XJAMJOVoVyw

I there a fix?

Yes!

Once discovered the vulnerability, and verified reproducibility and exploitability, research team notify Google of their findings.

According with Google response, the issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019.
A patch has also been made available to all partners.

So, ensure you update all applications on your device!

References

  1. How Attackers Could Hijack Your Android Camera to Spy on You
  2. Google Android Camera CVE-2019-2234 Multiple Security Bypass Vulnerabilities | Symantec
  3. Android Permissions | Android Open Source Project