Wednesday, April 30, 2025
HomeAndroidAndroid Camera Bug Let Hackers Spy on 100 Million+ Android Users Camera...

Android Camera Bug Let Hackers Spy on 100 Million+ Android Users Camera by Taking Video’s & Photo’s

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a critical vulnerability in the Android Camera app that allows hackers to remotely control the camera to take photos and/or record video using the malicious app without app permission.

This Android camera vulnerability considers being a serious concern in the Android ecosystem since the advanced camera and video capabilities are playing a massive role in Android users.

Critical permission bypass vulnerabilities initially discovered in the Google Pixel 2 XL and Pixel 3 on-hand Camera app, when digging deeper, researchers found the same vulnerabilities also affected some of the major smartphone vendors such as Samsung.

- Advertisement - Google News

It poses a serious threat to hundreds of millions of smartphone users, and the attackers installing the malicious app to gain complete Android Camera access without appropriate permission.

In another attack scenario, attackers bypass the various storage permission policies that give access to the stored videos and photos. it enables them to find the compromised user’s location via GPS metadata by taking photos or video and parsing the proper EXIF data

Attackers can be used this technique for both Google and Samsung Camera app. The Vulnerability can be tracked as (CVE-2019-2234).

“Researchers also find a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call.”

Exploiting the Google Camera Vulnerability

Photos and videos that taking via Android Camera will be stored on the SD card since it falls under the “sensitive data” category, and the other apps that need access to photos and videos required to have special permission (storage permissions).

To do so, AOSP created a specific set of permissions that an application must request from the user.

Basically, storage permissions give broad access to the entire SD card since the permissions are frequently requesting by a large number of applications for a legitimate purpose even it has no special interest in photos or videos. 

To experiment in an attack scenario, Checkmarx researchers tried to access the permission policy by abusing the Google Camera app itself, forcing it to do the work on behalf of the attacker.

This board range of storage access allows a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken. Additionally, if the location is enabled in the Android Camera app, the rogue application also has a way to access the current GPS position of the phone and user. . Checkmarx said via blog post.

Proof-of-Concept

Researchers developed a proof-of-concept app implemented with basic storage permission and demonstrate the PoC by dividing the 2 parts(client and server).

In the client part, a malicious app running in the Android phone, and a server-part that represents an attacker’s command-and-control (C&C) server.

Once the client apps started, it establishes a connection with the Command & Control server controlled by the attacker and waiting for a further command and the attacker can perform the attack and take control of the Android Camera anywhere in the world.

Watch the following Proof-of-concept video:

Once the attacker C2 Server console could allow him to see which devices are connected and perform various activities.

  • Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
  • Record a video on the victim’s phone and upload (retrieve) it to the C&C server
  • Parse all of the latest photos for GPS tags and locate the phone on a global map
  • Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
  • Wait for a voice call and automatically record:
    • Video from the victim’s side
    • Audio from both sides of the conversation

Google fixed the bug and released an update to the Google Camera Application in July 2019 via Google play store. you can also read the complete report here.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Trellix Launches Phishing Simulator to Help Organizations Detect and Prevent Attacks

Trellix, a leader in cybersecurity solutions, has unveiled its latest innovation, the Trellix Phishing...

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...