Google recently made public that they learned of a vulnerability of the Android operating system which allowed hackers to take control of somebody’s camera and silently take pictures and record videos even if the device is locked and / or the screen is turned off.
Discovery of the bug
The bug was discovered by Checkmarx researchers. The issue was codenamed CVE-2019-2234. The attack was done with the usage of a rogue app that had no permission to access the camera in the first place.
The researchers said:
“We found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data.”
The team presented a live demonstration of their discovery in a YouTube video:
The bug mainly affected Pixel phones but also progressed to gain access to Samsung devices and even some other manufacturers.
The good news
Google has acknowledged the issue and congratulated researchers for their finding. Thankfully, the good news is that they already managed to fix the bug.
Google stated that the problem was addressed on impacted Google smartphones with the help of a Play Store update to the Google Camera app from July 2019 and they fixed it with a patch that was also made available to all partners.