This article was published on November 20, 2019

Bug in Google Camera put Android users at risk of being secretly recorded

That's bad, Google


Bug in Google Camera put Android users at risk of being secretly recorded

Not one to let Facebook get ahead, Google has disclosed a vulnerability in Android which made it possible for hackers to hijack your camera, and secretly capture photos and record footage — even when the phone is locked or the screen is off.

The bug, discovered by researchers from Checkmarx, stemmed from permission bypass issues in the Google Camera app. The issue (filed under CVE-2019-2234) affected Pixel phones, but further spilled over to devices from Samsung and other manufacturers.

“An attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so,” the researchers write. “Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data.”

The security firm has demonstrated a Proof-of-Concept of the attack in a video uploaded to YouTube.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Google has since confirmed the issue, thanking the researchers for their work. The good thing is that the bug has already been ironed out.

We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” the company said in a statement. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

Still, maybe Google’s Project Zero researchers should catch a break from finding bugs in iOS to sort out their own security woes, so others don’t have to.

via CyberScoop

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top