Checkmarx’s head of security research, Erez Yalon, has discovered a number of vulnerabilities in Google and Samsung’s mobile devices combined under the same identifier CVE-2019-2234. Due to these vulnerabilities in Android, malware can control the user’s camera.In a study of camera security on Google Pixel 2 XL and Pixel 3 devices, the Checkmarx team discovered vulnerabilities in Google’s Camera app that allowed them to control certain functions without permission.
In general, CVE-2019-2234 allows any application to control the Camera application without appropriate permission, including taking photos and videos, even if the device is locked, the screen is off, and the user is talking by phone. According to experts, in addition to Google, the problem affects other manufacturers of Android devices, including Samsung.
Additionally, we found that certain attack scenarios enable malicious actors to bypass various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data”, — report Checkmarx researchers.
Google restricts application access to sensitive features such as camera, microphone, and location services. To gain access to them, you must first obtain the appropriate permission. However, the vulnerability discovered by researchers allows you to circumvent these limitations.
The Camera application in Android OS usually saves photos on SD cards, so other applications request access to the SD card to access them.
Unfortunately, this resolution has a wide range of actions and provides access to the SD card. There are a number of legitimate applications requesting access to the repository, although they do not need images and videos to work. In fact, this is one of the most requested permissions”, – said Erez Yalon.
This permission experts decided to use as an attack vector. As it turned out, if a malicious application is granted access to an SD card, it will not only gain access to photos and videos, but due to vulnerability, it will also force the photo application to take new photos and videos.
We could easily record the voice of both the user during the conversation and the voice of the caller. This is an undesirable activity, since the Google Camera application should not be completely controlled by an external application”, — the researchers noted.
Researchers notified Google about the problem in July this year. At first, the company considered the vulnerability of medium danger, but then recognized it as highly dangerous, registered CVE and issued a patch.
User Review( votes)