Samsung Camera app vulnerability puts your privacy at risk
Cybersecurity firm Checkmarx has discovered a dangerous vulnerability in Android OS which allows attackers to take control over the affected smartphone’s camera, record phone calls, and locate the device using GPS. The vulnerability affects Google’s Pixel smartphones and devices from other OEMs including Samsung, whose Camera app can reportedly be exploited in equal measure.
Thankfully, a fix has already been deployed along with the November 2019 security patch which is currently rolling out on a variety of Galaxy devices. The vulnerability is labeled CVE-2019-2234 but was not acknowledged in the changelog for the latest security patch for secrecy reasons. However, now that a fix is already being deployed, Checkmarx has been given the green light by both Google and Samsung to make these findings public.
A short timeline
Checkmarx submitted a report along with a proof-of-concept app to the Android security team on July 4, 2019. A week later, Google acknowledged CVE-2019-2234 to be of Moderate severity, but on July 23 the company raised the severity level to High after Checkmarkx sent further feedback.
It was on August 1 when Google confirmed that the vulnerability affects third-party Android devices as well. Multiple vendors were contacted in regard to the issue on August 18, and Samsung confirmed on August 29 that its smartphones are also affected.
Checkmarx wrote in its recent paper that “the professionalism shown by both Google and Samsung does not go unnoticed. Both were a pleasure to work with due to their responsiveness, thoroughness, and timeliness.”
Here’s how the vulnerability can be exploited
In essence, the vulnerability at hand can be exploited by a malicious app without requiring any special permission from the operating system, making it highly dangerous. The Camera app on Android OS takes advantage of special permissions, i.e. ‘storage permissions’ to capture and store photos and videos to the internal storage/SD card. A malicious app that also has storage permissions can exploit this vulnerability and gain access to the camera without requiring permission from the user and access all stored photos and videos.
Using a proof-of-concept app coupled with a command-and-control (C&C) server, Checkmarx discovered that the vulnerability poses a major concern for privacy. A malicious app could take photos and record videos using the affected phone’s cameras, and upload them to the C&C server.
An attacker could also locate the phone on the global map via GPS, and automatically record phone calls with both sides of the conversation. The app can do all of this in stealth mode whereby it silences the phone whenever it captures photos or records videos.
It all sounds pretty scary, but the report by Checkmarx doesn’t mention any real apps that can exploit this vulnerability so it’s unclear whether or not they exist in the wild. Either way, the good news is that the vulnerability is already being taken care of and Samsung has already rolled out the fix on a variety of Galaxy phones.