A vulnerability
in the Google Camera Application left millions of Google and Samsung smartphones
open to being potentially abused potentially letting a malicious actor to take
photos, download images and video and listen in to phone calls.

The flaw, CVE-2019-2234,
is a permission bypass issue that enables real-time access to a phone through
the camera application, according to a report by the Checkmarx Security
Research Team. Takeover of the phone begins with the victim downloading a
malicious app that requests storage access permission and that once downloaded
creates a persistent connection to a command and control server that cannot be
severed even if the app is closed, the screen is off or the phone locked.

The Checkmarx team tested its theories on a Google Pixel 2 and 3 model phones and Samsung later confirmed some of its devices that used the app were also susceptible to the vulnerability.

“We found
that certain attack scenarios enable malicious actors to circumvent various
storage permission policies, giving them access to stored videos and photos, as
well as GPS metadata embedded in photos, to locate the user by taking a photo
or video and parsing the proper EXIF data,” the team
said
.

Google and
Samsung each confirmed the issue exists and Google has issued a patch to rectify
the problem.

“We
appreciate Checkmarx bringing this to our attention and working with Google and
Android partners to coordinate disclosure. The issue was addressed on impacted
Google devices via a Play Store update to the Google Camera Application in July
2019. A patch has also been made available to all partners,” a Google representative
said.

Craig Young,
computer security researcher for VERT, was surprised Google allowed such a flaw
to pass through its own quality and control efforts.

“One of the
most important aspects of Android app security is to lock down exported
activities. Within Android, Intents serve as the glue for cross-application
interaction at runtime allowing, for example, one app to invoke an activity
from another. Poorly designed activities can be leveraged by malicious apps to
perform actions or access data that would normally incur a permissions request,”
Young said.

Prior to the
patch being pushed an attacker working the command and control server could see
what devices are connected to the phone and take these actions:

  • Take
    a photo on the victim’s phone and upload (retrieve) it to the C&C server.
  • Record
    a video on the victim’s phone and upload (retrieve) it to the C&C server.
  • Parse
    all of the latest photos for GPS tags and locate the phone on a global map.
  • Operate
    in stealth mode whereby the phone is silenced while taking photos and recording
    videos.
  • Wait
    for a voice call and automatically record video from the victim’s side and audio
    from both sides of the conversation.

The post Google camera app flaw endangered millions of devices appeared first on SC Media.

Source: SC
Google camera app flaw endangered millions of devices

Leave a Reply

Your email address will not be published. Required fields are marked *