The bug, dubbed CVE-2019-2234 was discovered by the Checkmarx Security Research Team, is said to be linked to permission bypass issues. In Android, whenever third-party apps are installed, Google makes the apps request permission to access the phone’s photos, videos, microphone as well as the default camera app. However, the flaw allowed unauthorized apps to record videos, take pictures, record audio, and log GPS locations by simply asking for permission to access a device’s storage. Once the user gave the app permission to access storage, the bug would activate the camera and microphone without user’s permission or knowledge. In certain attack scenarios, the flaw would allow hackers to gain control over the device’s storage as well as access GPS metadata stored in photos’ and videos’ EXIF. The flaw was primarily triggered to target the Google Camera app available on Pixel devices and the Samsung Camera app that comes preloaded on Galaxy devices. In order to test their claim, the researchers used the Google Pixel 2 XL and Pixel 3 and “found multiple concerning vulnerabilities stemming from permission bypass issues.”
“[O]ur researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call,” researcher Erez Yalon wrote in a blog post. “After a detailed analysis of the Google Camera app, our team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so. “Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data. This same technique also applied to Samsung’s Camera app.” Both Google and Samsung were informed about the Android flaw in July by Checkmarx, which was fixed by them in the month via a Play Store update. “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners,” Google said in a statement. Samsung who has released patches to address all the potentially affected device models in a statement said, “We value our partnership with the Android team that allowed us to identify and address this matter directly.” Checkmarx notes that this flaw is not just restricted to Google’s Pixel phones, which means other Android smartphone brands could still potentially be vulnerable. In order to protect yourself from this vulnerability, it is recommended that you run the latest version of the Android operating system and the camera app. It is also suggested that you regularly update apps installed on your smartphone.