A new scary and serious security flaw has surfaced in Android phones recently. According to Checkmarx Security Researchers Pedro Umbelino and Erez Yalon, there’s a vulnerability that impacts the camera apps of Android smartphone vendors such as, Google Pixel and Samsung. It could have affected several millions of smartphone users, had Samsung and Google not patched the vulnerabilities as soon as they were shown.
Erez Yalon explains, "Having a Google Pixel 2 XL and Pixel 3 on-hand, our team began researching the Google Camera app, ultimately finding multiple concerning vulnerabilities stemming from permission bypass issues." Erez Yalon and his team found the same security holes in Samsung when they explored the vulnerability in other phones.
A comprehensive bug-hunt around the Google Camera app revealed that specific actions can be performed to control the app to take photos and record videos. This is done through a rogue application that does not possess the necessary permissions to use the camera.
Moreover, certain attack routines can lead to circumvention of the storage permission policies. Hence, a malicious hacker can access videos and photos stored in Internal Storage and SC Card. It’s scary because the GPS metadata of images can also be seen making it easy to triangulate the phone owner’s location.
Erez Yalon added on the matter: "Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card. There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos."
Google appreciated Checkmarx’s initiative in bringing the security flaw to their attention. After the Pegasus incident, this could have been one of the biggest security breach cases. Hackers with insidious intent are always on the lookout for new ways to break into your computers and phones. So whatever you do, do not download and install applications from untrusted sources.