SECURITY
SECURITY
SECURITY
Android flaw allows malicious apps to take photos and videos without permission
A newly revealed flaw in camera apps used by Android devices allows other apps to spy on users.
Even though both Google LLC and Samsung Electronics Co. Ltd. released patches to fix the issue, the vulnerability may also exist in devices made by other manufacturers.
Detailed today by security researchers at Checkmarx Ltd., the vulnerability was initially discovered in the Google Camera app on Google Pixel phones. It allows a malicious app to record video and audio and take images on a device and then upload them to an external server. The same vulnerability also allows for a malicious app to track the location of the device where GPS data is embedded into images or videos, as well as record phone calls.
Accessing the vulnerability was found to be trivial, with no special permissions required from a user to access the given Android device’s camera. Instead, the path to spying involves a malicious app requesting and then being granted access to an SD card, a common request for many apps.
“A malicious app running on an Android smartphone that can read the SD card not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will,” the researchers explained.
Checkmarx first contacted the Android security team at Google of its discovery July 4 and Google on July 13 set the severity of the vulnerability to “moderate.” After further discussion, that was revised to “high” on July 23. As further research was made, Google confirmed on Aug. 1 that the vulnerability impacted other Android device makers and started contacting them through the month.
Although both Google and Samsung have released patches — Google in July and Samsung in August — the ongoing concern is that older Google and Samsung devices that do not receive updates as well as devices from other manufacturers remain vulnerable.
“Mobile phones are a part of most people’s lives, so they make attractive targets for criminals,” Javvad Malik, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “It is why it’s important that phone manufacturers invest heavily in security not just for the device itself, but also when it comes to allowing apps.”
But he said this vulnerability is particularly bad, and users should apply patches as soon as they are made available by other manufacturers. “It is fortunate that this vulnerability was disclosed by the good guys,” he added.
Photo: diversey/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
