Camera bug allows hackers spy on Android phone users

Security researchers at Checkmarx have uncovered a critical bug in the Android phones' camera app that would leave the users vulnerable to get hacked.

For several years, the Checkmarx team routinely carries out research studies to detect the vulnerability, particularly related to user privacy security on mobile phones.

Earlier this year, they created a special code to breach the Google camera app's security and to their astonishment, they succeded in their endeavor. Checkmarx researchers were able to access storage, see GPS-tagged photos and even retrieve them without the knowledge of the phone users via C&C (Command & Control) method.

Must read | Google drops 49 adware-laced apps from Play store

Here are activities Checkmarx experts were able to carry out using C&C:
Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
Record a video on the victim’s phone and upload (retrieve) it to the C&C server
Parse all of the latest photos for GPS tags and locate the phone on a global map
Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
Wait for a voice call and automatically record:
Video from the victim’s side
Audio from both sides of the conversation

Here's Checkmarx team's video on hacking Android phone using Google Camera app:

The mobile units used for security checkups were Google Pixel 2 XL and Pixel 3. Later they tested on other branded Android phones including Samsung and later it turned out that, they too had similar vulnerabilities.

Must read | Google forms App Defense Alliance, wages war on malware

Checkmarx developed the PoC (Proof-of-Concept) report and sent it to Google. Taking note of the severity of the issue, the search engine giant carried out its own independent investigation and confirmed the existence of the aforementioned threat not only in its own Google Camera app but also in other Android phones. Even Samsung too has acknowledged the issue.

"Working directly with Google, they notified our research team and confirmed our suspicion that the vulnerabilities were not specific to the Pixel product line. Google informed our research team that the impact was much greater and extended into the broader Android ecosystem, with additional vendors such as Samsung acknowledging that these flaws also impact their Camera apps, and began taking mitigating steps" Pedro Umbelino, Senior Security Researcher, Checkmarx said

Google has announced that the software security patch has been forwarded to all the Android OEMs (Original Equipment Manufacturers) and they have been asked to roll it out to respective branded devices.

All Android phone owners are advised to upgrade to the latest security patch at the earliest.

Here's how to update your phone with the latest software
When you get a notification, open it and tap the update action.
If you cleared your notification or your device has been offline:
Open your phone's Settings app.
Near the bottom, tap System and then Advanced and then System update.
You'll see your update status. Follow any steps on the screen.

Here's how to get security updates and Google Play system updates
Most system updates and security patches happen automatically. To check if an update is available:
Open your device’s Settings app.
Tap Security.
Check for an update:
To check if a security update is available, tap Security update.
To check if a Google Play system update is available, tap Google Play system update.
Follow any steps on the screen. 

Get the latest news on new launches, gadget reviews, apps and more on personal technology only on DH Tech.

DH Newsletter Privacy Policy Get top news in your inbox daily
GET IT
Comments (+)