Security researchers at Checkmarx recently discovered a vulnerabilities in the Google Camera app that allowed attackers to silently take photos and record videos as well as access stored videos and photos by circumventing storage permission policies.
The security vulnerabilities, which placed hundreds of millions of Android smartphone users at risk, were first discovered by security researchers at Checkmarx earlier this year who proceeded to notify Android’s Security team at Google through a detailed vulnerability report in July.
The report outlined how an attacker could gain access to smartphone users' camera functions as well as to stored photos and videos by circumventing storage permission guidelines and by exploiting vulnerabilities in the Google Camera app.
The researchers created a Proof of Concept (PoC) video using Google Pixel 2 XL and Pixel 3 smartphones to demonstrate how dangerous the exploit was to Android users.
The exploit involved an attacker creating a seemingly-benign weather app that only requested "storage access" to operate, but once installed, communicated with a command-and-control server to gain access to the Google Camera app and to storage folders that stored photos and videos.
"This means that a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken. Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user," wrote researchers Erez Yalon and Pedro Umbelino in a blog post.
Critical Google Camera vulnerabilities allowed malicious apps unprecedented access
By simply requesting access to storage, the app created by the researchers gained access to a smartphone's SD card and could copy stored photos and videos and send them back to the C&C server.
The app was also capable of various tasks such as taking photos on the victim's phone, recording videos on the victim's phone, parsing all of the latest photos for GPS tags and locating the phone on a global map, operating in stealth mode whereby the phone is silenced while taking photos and recording videos, and recording audio from both sides of a conversation.
While initially setting the severity of Checkmarx's findings as Moderate, Google ultimately raised the severity of the finding to "High" and by August 1, confirmed that the vulnerabilities may affect other Android smartphone vendors and issued CVE-2019-2234.
"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners," said Google.
Craig Young, senior security researcher at Tripwire, said that in this case, Google left an open activity for triggering the CameraActivity specifying that it should take a picture or record a video. A malicious app with storage permission could trigger the activity and then access the resulting media files from the phone’s internal storage. It is frankly quite shocking that Google would make such a mistake in their own camera app.
"In the long-term, I think AOSP needs to seriously consider finer grained access controls between apps. Something like a firewall for Intent messages so that users have some control over which other apps a given app can interact with."
"If you've ever taken photos on your Android phone that you'd prefer to keep private, be they important documents or lewd photos, then this vulnerability is a big concern," says Paul Bischoff, privacy advocate at Comparitech.com.
"Access to internal storage is the most common Android permission requested by apps on Google Play. Those apps could all have pulled off this attack to steal existing photos stored on users' phones, take new photos, listen in on conversations while recording video, and get location data from stored photos. That's a huge privacy and security risk for most Android users," he adds.