A recently-revealed flaw that affected all Android devices at one point allowed attacker applications to take pictures and upload them to servers without user permission. Thankfully, this Android camera flaw has been patched on some devices.
Nomad case for Pixel 3
For quite some time – since Marshmallow – Android has used pop-ups to allow permissions for apps including the ability to access the camera. To get around that, this method used the camera application already on the device. Both the Google Camera app on Pixels and the Samsung Camera app were proved vulnerable.
Using this method, the vulnerable camera apps would take a photo which the malicious app could then see the EXIF and GPS data on to even determine the user’s location. The photos could also be uploaded to a remote server.
Of course, for this, the app would need to be given storage access by the user, but that is one of the most commonly provided permissions. Since the app is controlling other camera apps on the device, the attack also can’t take place while the user is looking at the device since it would be an obvious giveaway.
With a proof of concept app, CheckMarx was able to take a picture while the app was closed and the screen was off, pull the GPS data from that photo, eavesdrop on a two-way phone call, silence the camera shutter, transfer those photos and videos to an external server, and pull the images and videos already stored on the phone. The app also used the proximity sensor to know when it was placed face-down to as a way to avoid the user seeing the attack in progress.
Luckily, Google and Samsung have both fixed these issues on their camera apps. This Android flaw was fixed in the Google Camera app on Pixel devices back in July when the issue was first reported while Samsung patched the issue at a later date. Google says:
We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.
Android partners have access to a patch for this issue as Google has said, but it’s unclear if all partners have adopted it. All Pixel and Galaxy smartphones are immune at this point but Google implied to CheckMarx that some of its partners have yet to fix the issue. The company has not publicly confirmed this or mentioned who that might include, though.
More on Android:
FTC: We use income earning auto affiliate links. More.