Android smartphones in danger – new flaw helps bogus apps secretly access camera


CVE-2019-2234, new camera app vulnerability, allows remote attackers to record videos on Android smartphones

Android flaw allows camera access for bogus apps. No permission needed

Security researchers have reported about an Android-based camera vulnerability that was detected recently. A risky flaw involves several smartphone models released by Samsung and Google that have a vulnerable camera app installed in advance. A vulnerability that was named CVE-2019-2234 allows questionable programs to access camera and take photos or record videos with no permission required.[1]

Even when it’s locked, hackers can perform needed actions and the person might not even recognize that something odd is going with his camera. Additionally, the flaw might also be used to access the microphone and might even get access to the user’s current location through the photos or videos made.

Checkmarx researches, who discovered the CVE-2019-2234 vulnerability in the wild, identified Google Pixel 2 XL and Pixel 3 as devices used for the research:[2]

Having a Google Pixel 2 XL and Pixel 3 on-hand, our team began researching the Google Camera app [1], ultimately finding multiple concerning vulnerabilities stemming from permission bypass issues.

No particular permission is required for the malicious app to work

The malicious app which is misusing the CVE-2019-2234 vulnerability works under the only condition – it requires to provide access to the SD card but this does not usually create any concerns as it is typical permission asked by numerous other apps.[3] When such permission is granted, the CVE-2019-2234 can be misused for the hackers’ needs.

Researchers have discovered that the questionable program could take photos and videos with the user’s mobile phone device. Afterward, this material is transferred to a Command and Control server[4] which is owned by the criminals. 

All of these actions are performed silently and show no signs so that the user would not recognize any questionable activities. The camera itself does not make any sound as well in order not to raise suspicion and keep recording the material for a long time.[5]

The malicious app can get hold of voice call material, including the victim’s video

One of the worst things about the CVE-2019-2234 vulnerability is that it can be exposed very easily and no specific conditions are required. Hackers can take hold of the camera and visual material recorded by it even if the malicious app is not active, the screen is locked or even turned off.

The hazardous app might be even able to gather information regarding voice calls, including audio material provided by both persons and visual material related to the victim only. A very dangerous part about such activity is that you can get private videos and call details leaked by cybercriminals or be charged with big fees if seeking to prevent the exposure of your personal photos and videos.[5]

Google and Samsung were notified about the issue and tended to release a patch

Google was informed about the dangerous flaw that was identified as “high”. Checkmarx experts announced their findings in July 2019 by presenting a video of a PoC app that showed the entire attack and how it worked. Later on, the organization admitted finding the flaw in its Pixel models but did not reveal which phones were vulnerable.

Gladly, Google did release a camera update for its Pixel line in July and also informed Android manufacturers about this issue, including Samsung. The company took care of the problem at the end of August.

If you are also an Android mobile phone user, you should be cautious about this flaw. You should make sure that your camera app has been updated to the latest version as the problem has been eliminated by releasing new upgrades. Also, experts advise all people to keep their Android devices regularly updated to avoid any types of flaws.