A few days ago, It was reported that the Facebook app was using the camera feature on certain versions of iOS without the user’s permission. Now, it has been discovered that a vulnerability in Google and Samsung’s Camera apps on Android enabled other apps to breach users’ privacy.
Apparently, this includes recording videos & call audios, capturing photos and extracting GPS data from the phone’s media data unauthorizedly while uploading it to a C&C server. Furthermore, subtle hacks such as the silencing of the camera’s shutter could also be implemented to further conceal any hidden activity.
Termed as CVE-2019-2234 ; the vulnerability has been disclosed by Checkmarx in coordination with both Google and Samsung alerting users, the former stating :
To understand how this entire process takes place without the user’s permission, it is to be noted that an app needs the following permissions for engaging in any of the aforementioned actions:
1. android.permission.CAMERA,
2. android.permission.RECORD_AUDIO,
3. android.permission.ACCESS_FINE_LO
4. android.permission.ACCESS_COARSE
However, in this particular case, it was discovered that merely having permission to access the storage region of the phone gave the apps unrestricted ability to use other features of the camera. Consequently, as the majority of apps rely on gaining storage permissions to operate, this allows a vast number of apps to have the potential to exploit this vulnerability.
Checkmarx has also put together a video to demonstrate such an exploit on a Google Pixel 2 XL with the help of a simple weather app.
To conclude, users can rest assured though knowing that Google has fixed the vulnerability via a Play Store update while simultaneously issuing a patch to all partner vendors.On the other hand, companies could take away a lesson of responding in the right way just like Google and Samsung did instead of downplaying any exposed flaws within their systems. This not only helps the ecosystem flourish but also helps users take precautions understanding the security limitations their devices may pose.
Apparently, this includes recording videos & call audios, capturing photos and extracting GPS data from the phone’s media data unauthorizedly while uploading it to a C&C server. Furthermore, subtle hacks such as the silencing of the camera’s shutter could also be implemented to further conceal any hidden activity.
Termed as CVE-2019-2234 ; the vulnerability has been disclosed by Checkmarx in coordination with both Google and Samsung alerting users, the former stating :
To understand how this entire process takes place without the user’s permission, it is to be noted that an app needs the following permissions for engaging in any of the aforementioned actions:
1. android.permission.CAMERA,
2. android.permission.RECORD_AUDIO,
3. android.permission.ACCESS_FINE_LO
4. android.permission.ACCESS_COARSE
However, in this particular case, it was discovered that merely having permission to access the storage region of the phone gave the apps unrestricted ability to use other features of the camera. Consequently, as the majority of apps rely on gaining storage permissions to operate, this allows a vast number of apps to have the potential to exploit this vulnerability.
Checkmarx has also put together a video to demonstrate such an exploit on a Google Pixel 2 XL with the help of a simple weather app.
To conclude, users can rest assured though knowing that Google has fixed the vulnerability via a Play Store update while simultaneously issuing a patch to all partner vendors.On the other hand, companies could take away a lesson of responding in the right way just like Google and Samsung did instead of downplaying any exposed flaws within their systems. This not only helps the ecosystem flourish but also helps users take precautions understanding the security limitations their devices may pose.
No comments:
Post a Comment