A bug in Google’s camera app allowed hackers to secretly record users

Google recently made public that they learned of a vulnerability of the Android operating system which allowed hackers to take control of somebody’s camera and silently take pictures and record videos even if the device is locked and / or the screen is turned off.

Discovery of the bug

The bug was discovered by Checkmarx researchers. The issue was codenamed CVE-2019-2234. The attack was done with the usage of a rogue app that had no permission to access the camera in the first place.

The researchers said: 

“We found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data.”

The team presented a live demonstration of their discovery in a YouTube video:

https://www.youtube.com/watch?v=XJAMJOVoVyw

 

Affected devices

The bug mainly affected Pixel phones but also progressed to gain access to Samsung devices and even some other manufacturers.

The good news

Google has acknowledged the issue and congratulated researchers for their finding. Thankfully, the good news is that they already managed to fix the bug.

Google stated that the problem was addressed on impacted Google smartphones with the help of a Play Store update to the Google Camera app from July 2019 and they fixed it with a patch that was also made available to all partners.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *