CVE-2019-2234 flaws in Android Camera Apps exposed millions of users surveillance

Experts found multiple flaws (CVE-2019-2234) in the Android camera apps provided by Google and Samsung that could allow attackers to spy on users.

Cybersecurity experts from Checkmarx discovered multiple vulnerabilities in the Android camera apps provided by Google and Samsung could have been exploited by hackers to spy on hundreds of millions of users.

The vulnerabilities are collectively tracked as CVE-2019-2234, attackers could exploit them to conduct several activities, including recording videos, taking photos, recording voice calls, tracking the user’s location.

The vulnerabilities could be exploited by threat actors even if the phone is locked and the screen is turned off.

The researchers initially analyzed Google’s Pixel 2 and Pixel 3 devices, then they extended their findings to the camera application on Samsung phones.

“It is possible for any application, without specific permissions, to control the Google Camera app developed for Android and force it to take photos and / or record videos, even if the phone is locked and the screen is turned off.” reads the report published by Checkmarx. “After disclosing these findings to Google, they shared the report with other Android manufacturers, and Samsung confirmed the vulnerabilities existed in their smartphones as well. According to Google, additional OEMs also confirmed the flaws, expanding the impact to hundreds-of-millions of Android users worldwide.”

The vulnerabilities allowed a malicious application installed on the victim’s phone to take control of the camera app present on Google and Samsung devices and spy on users without any special permission.

Experts focused their analysis on a camera application installed on Google smartphones (com.google.android.GoogleCamera package) searching for any vulnerabilities.

The researchers manipulated specific actions and intents and discovered that an attacker can control the Google Camera app to take photos and/or record videos using a rogue application that has no permissions to do it.

The experts also discovered that under specific conditions, attackers can bypass various storage permission policies in order to access to stored videos and photos, as well as GPS metadata embedded in photos to locate the user by taking a photo or video and analyzing the associated EXIF data.

The experts developed a PoC weather application, without specific permissions, that established a persistent connection with the attacker’s server that was able to siphon any kind of data from the target phone, even when the rogue app was closed.

Below the video PoC of the attack:

The researchers reported the flaws to Google in early July and the company confirmed that a security patch addressed them was released in the same month. Samsung also confirmed to have addressed the issue.

“This type of research activity is part of the Checkmarx Security Research Team’s ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based smartphones and IoT devices, while bringing more security awareness amid the consumers who purchase and use them. Protecting privacy of consumers must be a priority for all of us in today’s increasingly connected world”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Android, CVE-2019-2234)

[adrotate banner=”5″]

[adrotate banner=”13″]