An Android flaw allows applications to spy on you through your smartphone’s camera and microphone. They can take pictures, record videos or even your conversations without permission. Data is directly transferred to third-party servers without the users’ knowledge.
Android requires specific permissions to allow applications to access the camera and microphone of smartphones.
However, a flaw identified by Checkmarx security researchers allows users to bypass authorizations and silently spy on them.
This vulnerability, which has the reference CVE-2019-2234, affects Google Camera, Samsung’s Camera application and potentially those of other brands.
As a proof of concept, Checkmarx has developed a weather application like any other that can be downloaded from the Play Store.
Once installed, it was possible to take pictures and record videos even when the screen is turned off or the smartphone is locked.
The scenario also normally occurs when the malicious application is closed. Everything is done in a discreet way without triggering the flash or the sound emitted when taking a photo.
The flaw also allows you to retrieve the GPS location from the metadata of the photos and videos. The camera is not the only component affected by this vulnerability.
According to Checkmarx, attackers can also access the microphone without permission and record phone calls and anything said around the user.
The data is then transferred to third-party servers. Finally, it is also possible to list and retrieve all the JPG photos or MP4 videos stored on the SD card.
Samsung and Google Have Deployed a Security Patch
Checkmarx shared its discovery with Google and Samsung last July. Following the release of the report on November 19, Google stated in a press release that “the problem has since been resolved with an update of the deployment on the Play Store.
A patch has also been made available to all partners. Samsung also stated that a patch has been applied to all its smartphones without specifying when this was done.
Apart from Google and Samsung, the report does not specify which other manufacturers may be affected by this vulnerability and no other brands have confirmed that they are concerned.
In any case, Android device owners must ensure that they have installed the latest system update and camera application update.