A security research team found several vulnerabilities, CVE-2019-2234, in the camera app of Pixel 2 XL and Pixel 3 smartphones. All of these became possible due to the vulnerability that allows an intruder to bypass the user’s permission.
After the further probe, the team of researchers also found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem, namely Samsung. It now poses serious security threats to hundreds-of-millions of smartphone users.
Israel based software security platform, CheckMarx conducted a detailed analysis of the Google camera app. During troubleshooting, their team found that by tampering specific intent filters and actions, an intruder can attack the app by capturing photos and recording videos through unauthorized channels.
In addition to this, they found that certain attack scenarios enable malicious attackers to beat or dodge storage permission policies. This security loophole allows an intruder to gain access to pictures and videos stored in SD Card, as well as the GPS information attached to each photo. The attacker can take a new photo and fetch location information of a user from it too. Furthermore, the unauthorized actor can parse the ‘EXIF’ data and locate the user location, which poses a serious threat of physical danger to millions of users of Android and Samsung. The attacker can even get information if the phone is faced down.
Director of security research at CheckMarx, Erez Yalon, in his official blog post stated:
“The ability for an application to retrieve input from the camera, microphone, and GPS location is considered highly invasive by Google themselves. As a result, AOSP created a specific set of permissions that an application must request from the user. Since this was the case, Checkmarx researchers designed an attack scenario that circumvents this permission policy by abusing the Google Camera app itself, forcing it to do the work on behalf of the attacker.”
The efforts to improve this loophole has been in progress since July 4 this year, when Checkmarx suggested their vulnerability report to the Android security team at Google. On August 1, Google confirmed that these vulnerabilities could impact the larger Android ecosystem with other smartphone vendors as well. On August 18, Google contacted its potential vendors, and on August 29 Samsung confirmed that this security vulnerability has also affected their devices.
To properly demonstrate the subject that how unsafe this vulnerability is, the team of CheckMarx also created proof-of-concept (PoS) app, which requires no specific permission to access except the storage permission, very basic permission which majority of apps asks from a user.
They uploaded a video on YouTube describing the procedure that might be followed by an intruder to attack Pixel 2 XL device running the latest Android 9.
This mock-up app has shown that an attacker who is using the C&C (Command and Control) console server from any part of the world can establish its connection as the phone user opens a sample weather app with storage permission. This connection will remain persistent, and it does not matter if the app terminates.
Response from Google and Samsung
The official response from Samsung has yet to be announced, as reported by Forbes.
After its discovery, Google has confirmed this bug and acknowledged the work of researchers by thanking them. They resolved this issue via a Play Store update to the Google camera application. Google expressed its gratitude:
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure.” Google further added that it released a patch in July for this security loophole.
Recently, it was observed that Google Pixel 4 smartphone could unlock your phone while your both eyes were closed. Google confirmed it, and afterward, it was rectified by an update.
Make sure you are using an updated Android OS.
Featured image: Christopher Hebert/IDG
Samsung has issued a statement:
“We recommend that all users keep their devices updated with the latest software to ensure the highest level of protection possible,” according to a Samsung spokesperson to CNN. Samsung had released patches since the issue was discovered.