Bug in many Android phones allowed spying

Android apps can take photos and videos without any access rights – ideal for spying on users. There are updates from Google and Samsung.

A security vulnerability has hit many Android phones: Installed apps can bypass the camera and microphone access restrictions and create photos and videos including sound without the user’s knowledge. If the malicious app has the usual access to stored data, it can also transfer the photos and videos to a server. This opens up enormous opportunities for espionage, as a demonstration program (proof of concept) shows, which pretends to be a weather app.

At least Android mobile phones with camera apps from Google and Samsung are affected, but possibly also other Android mobile phones. The problem was discovered by the Israeli software company Checkmarx. It informed Google at the beginning of July, and in the same month the company released an update for its camera app. Samsung has now followed suit. Checkmarx made the gap public on Tuesday .

The attacker’s initiation of photos and videos also works when the cell phone is locked and the screen is off, or when a call is being made. This makes it possible to use the sound of a recorded video not only to listen to the room in which the cell phone is located, but also to record telephone conversations in full. Because the attacker can also switch off the triggering sound of the camera, he is not immediately noticed.

The only clue to espionage remains that the camera image can be seen on the screen. This is less protection than one might think: the attacker app can use the proximity sensor to detect when the phone is lying down with the screen or when it is held to the ear and only then take action.

If the user has failed to switch off the embedding of GPS data in photos, the attacker can also read this data and transfer it to their home. This enables him to find out current and previous locations of the cell phone. The vulnerability is labeled CVE-2019-2234.

Leave a Reply

Your email address will not be published.