Checkmarx submitted its vulnerability report to Google's Android security team on 4 July. Researchers found that Android mobile phone cameras can be accessed and used to spy on users by simply using an app. If your phone ships with Google or Samsung's camera apps, the fix is pretty simple: Confirm you have updated to the most recent version immediately, and ensure that automatic updates are left switched on in the future.
Cybersecurity firm Checkmarx has discovered a unsafe vulnerability in Android OS which allows attackers to take control over the affected smartphone's camera, record phone calls, and locate the device using Global Positioning System. Next, we're going to try to use codes to force the phone to take videos and photos without accessing the phone's camera app.
Apparently, this includes recording videos & call audios, capturing photos and extracting Global Positioning System data from the phone's media data unauthorizedly while uploading it to a C&C server. There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos.
Checkmarx's research team developed a malicious application for their PoC that requested basic storage access, the most commonly requested permission, to get to the phone's SD card. In addition to this, the researchers were able to record the caller and receiver's voice during the call. According to researchers, by merely manipulating specific " actions and intents", a malicious app can trick vulnerable camera apps into performing actions on behalf of the attacker, who can then steal photos and videos from the device storage after being taken.
'In order to better understand how smartphone cameras may be opening users up to privacy risks, the Checkmarx Security Research Team cracked into the applications themselves that control these cameras to identify potential abuse scenarios, ' Checkmarx shared on it is website.
Google tells Fast Company that it addressed the issue for "impacted Google devices"-aka Pixel phones-back in July".
The backdoor could be found not only on Pixel devices but phones from other vendors as well, with Samsung in particular named. On these phones, the user can ask the assistant to take a photo.
Checkmarx have demonstrated a bogus attack in a video it uploaded to YouTube.
Google has answered to this take a look at from Checkmarx in a assertion: 'We love Checkmarx bringing this to our attention and working with Google and Android companions to coordinate disclosure'. Samsung too has confirmed the vulnerability.
If you haven't updated your device's camera app in a while, try checking for updates via the Google Play Store.
Operating in stealth mode while taking photos and recording videos, so no camera shutter sounds for alerting the user. That makes the experience smoother, but it's also where a malicious app could gain control of your camera.