Android vulnerability allows attackers to spy on users through phone camera2019-11-20 18:48 by Daniela
Tags: Android, flaw
A security flaw in Google's Android lets malicious apps access users' camera and microphone to secretly record them and upload the videos to an external server. The weakness, which is tracked as CVE-2019-2234, also allowed potential attackers to track the physical location of the device, assuming GPS data was embedded into images or videos.
An Israeli security firm Checkmarx discovered the vulnerability in July and informed Google and Samsung for it. Researchers found that when a third-party application requests "storage permissions" from an Android phone user, it is able to access the camera, record video and access geolocation data embedded in stored photos. An app would normally need users to grant specific permissions for each of these functions (such as the android.permission.CAMERA, android.permission.RECORD_AUDIO, android.permission.ACCESS_COARSE_LOCATION and android.permission.ACCESS_FINE_LOCATION); however, the "storage permissions" bundles in all these permissions automatically, unbeknownst to Android users.
"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card," the researchers note. "There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it's one of the most common requested permissions observed."
"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure," a Google spokesperson told Business Insider in an email. "The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."
Google closed the eavesdropping hole in its Pixel line of devices with a camera update that became available in July. Checkmarx said Samsung has also fixed the vulnerability, although it wasn't clear when that happened. However, Android phones from other manufacturers may also be vulnerable. The specific makers and models haven't been disclosed.
Read more -here-