This Android bug allows hackers to control camera apps and spy on users

Today more than half of the global population owns a smartphone and it's hard to imagine our world without them. Unlike the cell phones that were merely used as a communication tool, the smartphones aren't just limited to texting and calling. From using applications to track health, cameras for photography, surfing the Internet, banking, watching favorite shows, using social media and a lot more just revolves in and around smartphones and we rely on them for all of them.

Technological advancements undoubtedly offer great promise to transform lives and can be used for both good and bad. Good in the form of enhanced services to simplify lives and bad from opportunities for its misuse, the fear of turning its use into abuse.

Recently, the Checkmarx Security Research Team discovered multiple concerning vulnerabilities stemming from permission bypass issues in the camera apps of Android-based smartphones from Google, Samsung and other vendors. 

According to the researchers, hackers can control the app to take photos or record videos through a rogue application without users' consent, subsequently giving them access to phone's videos and photos even if the phone is locked or screen is turned off.

Having a Google Pixel 2 XL and Pixel 3 on-hand, our team began researching the Google Camera app, ultimately finding multiple concerning vulnerabilities stemming from permission bypass issues. After further digging, we also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem – namely Samsung – presenting significant implications to hundreds-of-millions of smartphone users.

Without requesting specific permissions, the rogue application can take photos or videos and thereafter fetch them from the phone. Additionally, if the location is enabled in the camera app, the rogue app also has a way to access the current GPS position of the phone and user, the researchers wrote in a blog post.

A technical report of the findings were forwarded to Google, Samsung, and other smartphone OEMs. The vulnerability was later confirmed by Google, adding that they were not specific to the Pixel product line. The impact was much greater and extended into the broader Android ecosystem, the tech giant said in response to the Checkmarx security researchers.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”