The app only needed the smartphone’s storage, which is usually granted by all users.
A security flaw was detected in Google and Samsung’s Android smartphones that allowed malicious apps to record and access content without the user knowing about it. It was also possible to upload the recorded content to a remote server, as per a report.
The vulnerability was discovered security firm Checkmarx and highlighted by Ars Technica. The weakness allowed malicious apps to record videos and take images that could’ve been then uploaded on the attacker’s server. The flaw had the potential to target high-value targets and record their surroundings by getting access to the smartphone’s camera and the physical location.
Typically, Android smartphones need the user’s permission to access the location, camera, and microphone. However, in this case, the app would start recording videos and photos without the user’s consent. The app only needed the smartphone’s storage, which is usually granted by all users.
To demonstrate the flaw, the security firm created a proof-of-concept rogue app that exploited the weakness. The malicious Weather app was able to take pictures, record videos, access GPS data, eavesdrop and record two-way phone conversations and simultaneously record photos and videos and download any JPG image or MP4 video stored on the phone's SD card. The app was also able to transfer all the data to a remote server.
The smartphone’s screen would display the camera when recording a video or photo, allowing users to know what was going on. The app could also gain access to the smartphone’s probity sensor to know when the device was placed facedown to avoid letting the user know about the recording.
Google addressed the issue in its Pixel smartphone through an update in July. “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners,” said Google in its statement.
Samsung, too, has fixed the flaw through an update. The company, in its statement, said, “Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."It is unknown if smartphones from other brands were also vulnerable to the flaw. A question also arises that why were apps able to access the camera without user permission in the first place. Checkmarx speculates that the weakness may be the result of Google making the camera work with the voice-activated Google Assistant and other manufacturers following suit.Are you happy with your current monthly income? Do you know you can double it without working extra hours or asking for a raise? Rahul Shah, one of the India's leading expert on wealth building, has created a strategy which makes it possible... in just a short few years. You can know his secrets in his FREE video series airing between 12th to 17th December. You can reserve your free seat here.