Saturday, June 22, 2024

Android Camera Bug Let Hackers Spy on 100 Million+ Android Users Camera by Taking Video’s & Photo’s

Researchers discovered a critical vulnerability in the Android Camera app that allows hackers to remotely control the camera to take photos and/or record video using the malicious app without app permission.

This Android camera vulnerability considers being a serious concern in the Android ecosystem since the advanced camera and video capabilities are playing a massive role in Android users.

Critical permission bypass vulnerabilities initially discovered in the Google Pixel 2 XL and Pixel 3 on-hand Camera app, when digging deeper, researchers found the same vulnerabilities also affected some of the major smartphone vendors such as Samsung.

It poses a serious threat to hundreds of millions of smartphone users, and the attackers installing the malicious app to gain complete Android Camera access without appropriate permission.

In another attack scenario, attackers bypass the various storage permission policies that give access to the stored videos and photos. it enables them to find the compromised user’s location via GPS metadata by taking photos or video and parsing the proper EXIF data

Attackers can be used this technique for both Google and Samsung Camera app. The Vulnerability can be tracked as (CVE-2019-2234).

“Researchers also find a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call.”

Exploiting the Google Camera Vulnerability

Photos and videos that taking via Android Camera will be stored on the SD card since it falls under the “sensitive data” category, and the other apps that need access to photos and videos required to have special permission (storage permissions).

To do so, AOSP created a specific set of permissions that an application must request from the user.

Basically, storage permissions give broad access to the entire SD card since the permissions are frequently requesting by a large number of applications for a legitimate purpose even it has no special interest in photos or videos. 

To experiment in an attack scenario, Checkmarx researchers tried to access the permission policy by abusing the Google Camera app itself, forcing it to do the work on behalf of the attacker.

This board range of storage access allows a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken. Additionally, if the location is enabled in the Android Camera app, the rogue application also has a way to access the current GPS position of the phone and user. . Checkmarx said via blog post.


Researchers developed a proof-of-concept app implemented with basic storage permission and demonstrate the PoC by dividing the 2 parts(client and server).

In the client part, a malicious app running in the Android phone, and a server-part that represents an attacker’s command-and-control (C&C) server.

Once the client apps started, it establishes a connection with the Command & Control server controlled by the attacker and waiting for a further command and the attacker can perform the attack and take control of the Android Camera anywhere in the world.

Watch the following Proof-of-concept video:

Once the attacker C2 Server console could allow him to see which devices are connected and perform various activities.

  • Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
  • Record a video on the victim’s phone and upload (retrieve) it to the C&C server
  • Parse all of the latest photos for GPS tags and locate the phone on a global map
  • Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
  • Wait for a voice call and automatically record:
    • Video from the victim’s side
    • Audio from both sides of the conversation

Google fixed the bug and released an update to the Google Camera Application in July 2019 via Google play store. you can also read the complete report here.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

PrestaShop Website Under Injection Attack Via Facebook Module

A critical vulnerability has been discovered in the "Facebook" module (pkfacebook) from for...

Beware Of Illegal OTT Platforms That Exposes Sensitive Personal Information

A recent rise in data breaches from illegal Chinese OTT platforms exposes that user...

Beware Of Zergeca Botnet with Advanced Scanning & Persistence Features

A new botnet named Zergeca has emerged, showcasing advanced capabilities that set it apart...

Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) affecting Mailcow versions before 2024-04 allow attackers to...

Hackers Attacking Vaults, Buckets, And Secrets To Steal Data

Hackers target vaults, buckets, and secrets to access some of the most classified and...

Hackers Weaponizing Windows Shortcut Files for Phishing

LNK files, a shortcut file type in Windows OS, provide easy access to programs,...

New Highly Evasive SquidLoader Attacking Employees Mimic As Word Document

Researchers discovered a new malware loader named SquidLoader targeting Chinese organizations, which arrives as...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles