Security researchers have discovered an important security hole in several Android camera applications. This breach, which could affect millions of users around the world. It would allow other applications to take photos and videos, and also to extract GPS coordinates embedded in the images already captured. Without any authorization from the user.
This security issue, referenced as CVE-2019-2234. It affects Google Camera and Samsung Camera apps that have not been updated since July 2019.
Attackers could hijack your Android Camera to spy on you
The team of researchers from Checkmarx who found this flaw, analyzed the Google Pixel camera application and discovered that several elements allows manipulating the smartphone’s camera to record videos or capture images.
In principle, specific permissions are required for applications to be able to access the camera and capture photos and videos. But the Checkmarx team discovered that apps that have permission to access the device’s storage, can access the camera app, without the user’s permission.
They explain that malicious applications that have access to the device’s storage can not only access photos and videos stored on the device. But can now use this new method to take photos and videos. And even locate GPS coordinates embedded in EXIF data for recorded photos and videos.
Android Camera: A flaw corrected last summer
To show the importance of their discovery, the researchers created a fake app that, like so many applications. Then request access to the device’s storage to function. Undercover of a weather app, it can take and send photos, videos to one of their demo servers. Without user knowledge.
The authors of this find have alerted Google of their discovery as early as July 4th. Google then confirmed the importance of the flaw and said it also affected the camera application of other brands, including Samsung. A corrective update was available in late July on the Play Store for all applications that have this bug.