November 21, 2019
Security researchers found a flaw in Android that allowed hackers to listen to and record phone conversations, and also access the device’s camera, without the knowledge or consent of the owner of the phone.
A flaw has be uncovered in Android smartphones that lets hackers infiltrate cameras without users’ knowledge – effecting hundreds of millions of users.
Security experts discovered several vulnerabilities on two different Pixel smartphones that lets attackers bypass permissions.
Using a rogue application, the team was able to grab data from the camera, microphone as well as GPS location without consent.
The flaw, dubbed CVE-2019-2234, was uncovered by researchers from security firm Chexmarx, which let gain access to a device’s camera, transforming the harmless device into a spying nightmare.
‘In order to better understand how smartphone cameras may be opening users up to privacy risks, the Checkmarx Security Research Team cracked into the applications themselves that control these cameras to identify potential abuse scenarios,’ Checkmarx shared on it is website.
‘Having a Google Pixel 2 XL and Pixel 3 on-hand, our team began researching the Google Camera app, ultimately finding multiple concerning vulnerabilities stemming from permission bypass issues.’
After further digging, we also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem – namely Samsung – presenting significant implications to hundreds-of-millions of smartphone users.’
The team was able to successfully store media on devices and access the GPS location on images and videos in the library.
The flaw also allowed them to listen in on both sides of phone conversations and record them –again, without users knowing.
And the smartphone’s proximity sensor lets hackers know when the user is talking on the device or when it is laying down -allowing them to use the camera app without being spotted.
A developer was even able to upload images and video from the phone to a server if a user granted the app permission to access the device’s storage.
To demonstrate the flaw, Checkmarx designed a proof-of-concept app that doesn’t require any special permission beyond the basic storage permission.
Google has responded to this test from Checkmarx in a statement: ‘We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure.’
‘The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019’.
‘A patch has also been made available to all partners.”
How about “I’m so grateful you found this so everyone can be safer!” instead? This is serious and yet Google doesn’t sound very grateful.
Maybe they see this as an inconvenient setback. Maybe they already knew about the security flaw.
Maybe they want Android phones to be able to be used as spying devices.
We don’t know for sure.
What we do know for sure is that everyone carrying in their pockets GPS devices with microphones and cameras that can connect to the internet and provide real-time information about its “owner” sure sounds like a dream come true for a surveillance state.
If you also consider who’s behind these devices…
Then suddenly Apple’s prices don’t sound as absurd as before.