Home
Artists
Search
Recent
Random
Posts
DMs
Tags
Random
Importer
Import
FAQ
Account
Register
Favorites
Login
Android Camera Vulnerability - ThreatWire Crosspost (Patreon)
Downloads
Content
By Shannon Morse, ThreatWire
According to a report by Checkmarx, an Israeli security vendor, flaws in Android devices could have let an attacker gain access to a victim’s location, or take photos and videos from a device without the user ever knowing. This problem affects Google Pixel phones and Samsung Galaxy phones through their voice assistant technology, via Google Assistant or Samsung Bixby. This could potentially affect a much broader range of Android devices as well. Both of these voice activated assistants don’t need to ask for further permissions to use the camera, and this lets less trusted apps abuse the convenience as well. In this case, the researchers created a proof of concept weather app that would ask the voice assistants for access. This access request could let the third party weather app send Google Assistant or Samsung Bixby a request for camera access, which they could use to start filming or take photos without the owners consent.
This bug is tracked as CVE-2019-2234 and happens because of a permission bypass flaw. Since both assistants could allow an attacker to bypass any additional permissions, they could turn on the camera while the device is locked or being used for another app, like taking a phone call. Users usually need to accept permission requests for new apps but the Storage Permission, which is used to save photos to your device’s storage, is broad and gives access to the entire storage drive. They were able to use this to force the photo app to open and store new images or video to the internal drive. And since GPS tags or location info could be stored in the photo, the attacker would get this as well.
To make the vulnerability even creepier, the researchers were able to use the proximity sensor in the phones to determine when they are laying face down on a table, or when the device is being held to an ear during a phone call. They could then activate recording of both sides of the conversation through the app.
Now, with all this said, it wouldn’t be completely hidden. The camera app would appear on the devices screen while in use, but if it’s on a nightstand or held to an ear, the user wouldn’t be able to see the screen at that time. It would also be relatively hard to pull off without detection from the user, given you can see the camera app when it’s recording. Even so, Google marked this as a high severity flaw and pursued a fix after discovery.
Google and Samsung patched these vulnerabilities in July, and the report was published four months later following responsible disclosure. Google was initially informed on July 4 and had a CVE for it on August 1. A camera update has since been released. A video of the proof of concept successfully working is available in the links provided.
Support me on alternative platforms! https://snubsie.com/support
https://www.youtube.com/shannonmorse -- subscribe to my new channel!
ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire
https://www.checkmarx.com/blog/how-attackers-could-hijack-your-android-camera
https://www.cyberscoop.com/voice-assistant-flaws-checkmarx-google-assistant-samsung-bixby/
https://threatpost.com/google-android-camera-hijack-hack/150409/
https://thehackernews.com/2019/11/android-camera-hacking.html