A newly revealed flaw in camera apps used by Android devices allows other apps to spy on users.

Even though both Google LLC and Samsung Electronics Co. Ltd. released patches to fix the issue, the vulnerability may also exist in devices made by other manufacturers.

Detailed today by security researchers at Checkmarx Ltd., the vulnerability was initially discovered in the Google Camera app on Google Pixel phones. It allows a malicious app to record video and audio and take images on a device and then upload them to an external server. The same vulnerability also allows for a malicious app to track the location of the device where GPS data is embedded into images or videos, as well as record phone calls.

Accessing the vulnerability was found to be trivial, with no special permissions required from a user to access the given Android device’s camera. Instead, the path to spying involves a malicious app requesting and then being granted access to an SD card, a common request for many apps.

“A malicious app running on an Android smartphone that can read the SD card not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will,” the researchers explained.

Checkmarx first contacted the Android security team at Google of its discovery July 4 and Google on July 13 set the severity of the vulnerability to “moderate.” After further discussion, that was revised to “high” on July 23. As further research was made, Google confirmed on Aug. 1 that the vulnerability impacted other Android device makers and started contacting them through the month.

Although both Google and Samsung have released patches — Google in July and Samsung in August — the ongoing concern is that older Google and Samsung devices that do not receive updates as well as devices from other manufacturers remain vulnerable.

“Mobile phones are a part of most people’s lives, so they make attractive targets for criminals,” Javvad Malik, security awareness advocate at security awareness training firm KnowBe4 Inc., told SiliconANGLE. “It is why it’s important that phone manufacturers invest heavily in security not just for the device itself, but also when it comes to allowing apps.”

But he said this vulnerability is particularly bad, and users should apply patches as soon as they are made available by other manufacturers. “It is fortunate that this vulnerability was disclosed by the good guys,” he added.

Photo: diversey/Flickr