Vulnerability in Google Camera app could have impacted millions of users

Vulnerability in Google Camera app could have impacted millions of users

Google Camera

Security researchers at Checkmarx recently discovered a vulnerabilities in the Google Camera app that allowed attackers to silently take photos and record videos as well as access stored videos and photos by circumventing storage permission policies.

The security vulnerabilities, which placed hundreds of millions of Android smartphone users at risk, were first discovered by security researchers at Checkmarx earlier this year who proceeded to notify Android’s Security team at Google through a detailed vulnerability report in July.

The report outlined how an attacker could gain access to smartphone users’ camera functions as well as to stored photos and videos by circumventing storage permission guidelines and by exploiting vulnerabilities in the Google Camera app.

The researchers created a Proof of Concept (PoC) video using Google Pixel 2 XL and Pixel 3 smartphones to demonstrate how dangerous the exploit was to Android users.

The exploit involved an attacker creating a seemingly-benign weather app that only requested “storage access” to operate, but once installed, communicated with a command-and-control server to gain access to the Google Camera app and to storage folders that stored photos and videos.

“This means that a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken. Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user,” wrote researchers Erez Yalon and Pedro Umbelino in a blog post.

Critical Google Camera vulnerabilities allowed malicious apps unprecedented access

By simply requesting access to storage, the app created by the researchers gained access to a smartphone’s SD card and could copy stored photos and videos and send them back to the C&C server.

The app was also capable of various tasks such as taking photos on the victim’s phone, recording videos on the victim’s phone, parsing all of the latest photos for GPS tags and locating the phone on a global map, operating in stealth mode whereby the phone is silenced while taking photos and recording videos, and recording audio from both sides of a conversation.

While initially setting the severity of Checkmarx’s findings as Moderate, Google ultimately raised the severity of the finding to “High” and by August 1, confirmed that the vulnerabilities may affect other Android smartphone vendors and issued CVE-2019-2234.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners,” said Google.

Craig Young, senior security researcher at Tripwire, said that in this case, Google left an open activity for triggering the CameraActivity specifying that it should take a picture or record a video. A malicious app with storage permission could trigger the activity and then access the resulting media files from the phone’s internal storage. It is frankly quite shocking that Google would make such a mistake in their own camera app.

“In the long-term, I think AOSP needs to seriously consider finer grained access controls between apps. Something like a firewall for Intent messages so that users have some control over which other apps a given app can interact with.”

“If you’ve ever taken photos on your Android phone that you’d prefer to keep private, be they important documents or lewd photos, then this vulnerability is a big concern,” says Paul Bischoff, privacy advocate at

“Access to internal storage is the most common Android permission requested by apps on Google Play. Those apps could all have pulled off this attack to steal existing photos stored on users’ phones, take new photos, listen in on conversations while recording video, and get location data from stored photos. That’s a huge privacy and security risk for most Android users,” he adds.

ALSO READ: 36 mobile security apps on Play Store caught stealing user data and pushing ads

Copyright Lyonsdown Limited 2021

Top Articles

Making employees part of the solution to email security

Security Awareness Training needs to be more than a box-ticking exercise if it is to keep organisations secure from email threats

Windows Hello vulnerability: Bypassing biometric weakness without plastic surgery

Omer Tsarfati, Cyber Security Researcher at CyberArk Labs, describes a flaw that allows hackers to bypass Windows Hello’s facial recognition Biometric authentication is beginning to see rapid adoption across enterprises…

Legacy systems are holding back your digital transformation

Legacy systems pose a threat to organisational security. IT leaders need to be courageous and recognise the need to upgrade their technology

Related Articles

[s2Member-Login login_redirect=”” /]