Researchers discovered a critical vulnerability in the Android Camera app that allows hackers to remotely control the camera to take photos and/or record video using the malicious app without app permission.
This Android camera vulnerability considers being a serious concern in the Android ecosystem since the advanced camera and video capabilities are playing a massive role in Android users.
Critical permission bypass vulnerabilities initially discovered in the Google Pixel 2 XL and Pixel 3 on-hand Camera app, when digging deeper, researchers found the same vulnerabilities also affected some of the major smartphone vendors such as Samsung.
It poses a serious threat to hundreds of millions of smartphone users, and the attackers installing the malicious app to gain complete Android Camera access without appropriate permission.
In another attack scenario, attackers bypass the various storage permission policies that give access to the stored videos and photos. it enables them to find the compromised user’s location via GPS metadata by taking photos or video and parsing the proper EXIF data.
Attackers can be used this technique for both Google and Samsung Camera app. The Vulnerability can be tracked as (CVE-2019-2234).
“Researchers also find a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call.”
Exploiting the Google Camera Vulnerability
Photos and videos that taking via Android Camera will be stored on the SD card since it falls under the “sensitive data” category, and the other apps that need access to photos and videos required to have special permission (storage permissions).
To do so, AOSP created a specific set of permissions that an application must request from the user.
Basically, storage permissions give broad access to the entire SD card since the permissions are frequently requesting by a large number of applications for a legitimate purpose even it has no special interest in photos or videos.
To experiment in an attack scenario, Checkmarx researchers tried to access the permission policy by abusing the Google Camera app itself, forcing it to do the work on behalf of the attacker.
This board range of storage access allows a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken. Additionally, if the location is enabled in the Android Camera app, the rogue application also has a way to access the current GPS position of the phone and user. . Checkmarx said via blog post.
Proof-of-Concept
Researchers developed a proof-of-concept app implemented with basic storage permission and demonstrate the PoC by dividing the 2 parts(client and server).
In the client part, a malicious app running in the Android phone, and a server-part that represents an attacker’s command-and-control (C&C) server.
Once the client apps started, it establishes a connection with the Command & Control server controlled by the attacker and waiting for a further command and the attacker can perform the attack and take control of the Android Camera anywhere in the world.
Watch the following Proof-of-concept video:
Once the attacker C2 Server console could allow him to see which devices are connected and perform various activities.
- Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
- Record a video on the victim’s phone and upload (retrieve) it to the C&C server
- Parse all of the latest photos for GPS tags and locate the phone on a global map
- Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
- Wait for a voice call and automatically record:
- Video from the victim’s side
- Audio from both sides of the conversation
Google fixed the bug and released an update to the Google Camera Application in July 2019 via Google play store. you can also read the complete report here.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
.webp "Reveal(x)")
