A new defect has been discovered in Camera Apps for millions, mainly of Android devices that could permit other apps to record video, extract GPS data, take pictures from media without having the needed permissions.
Android apps exposed various functions or intents such as the ability to take a picture, which can be performed by other apps on the device. In order to enforce an exposed intent, another app has to take the required permissions.
In an organized disclosure with Samsung and Google, the research team from Checkmarx has disclosed that a new defect permits apps to record videos, take pictures, or track the location of a device, even if they don’t have the permission to do so.
This new defect is termed as CVE-2019-2234, creating an impact on Samsung Camera and Google Camera Apps, if they haven’t been updated before July 2019.
Avoid Permissions To Record Videos And Take Pictures
After examining the Camera App of Google Pixel, research scholars have discovered endless intents that could be used to manipulate the camera of the device, in order to record videos and take pictures.
Usually, an app requires to have the android.permission.CAMERA, android.permission.ACCESS_COARSE_LOCATION, android.permission.RECORD_AUDIO, and android.permission.ACCESS_FINE_LOCATION permissions in order to record video, access GPS data, and record video.
It further discovered that apps that have “storage” permission, which offers the app access to the entire SD card and media stored on it in the device, also offers the ability to use the Camera App’s exposed functions without the permissions mentioned above.
It is troublesome as many apps regularly ask for “storage” permissions, such as streaming services, car racing games, and even weather apps.
According to the report, the “storage” permissions is the most common permission that they have observed.
Even these apps permitted the researchers to create a proof-of-concept app that professes to be a weather app, but quietly sends a video, picture, and phone call recordings back to a demo command and control server.
As you can understand that it is quite dangerous as it could permit apps that usually don’t have permissions to -
- record videos and take pictures if the screen is off or the phone is locked
- leak GPS location from stored photos
- listen in two-way conversations even when taking photos and recording videos
- keep the camera shutter in silence mode so that victim could not hear when photos are taken
- transfer important photos and videos stored on the SD Card
Google Camera App Restored In July 2019
On July 2019, sources have informed the new trouble to Google, it has raised it to a “high” classification.
On August 1, Google has confirmed that this trouble affected Camera Apps for other Android device vendors and issued CVE-2019-2234 for the new problem.
Later, it was determined that Samsung’s Camera App was also affected and both vendors allowed the publication of this new bug.
According to Google, this bug in the Camera App was solved in July 2019 via Google Play Store Update and time was issued to other vendors.
Hence, all users are strongly asked to upgrade to the latest version of Android and assure they are using the latest app for their Android devices.