A new bug has been found in the camera app from Google, Samsung, and other OEMs which can secretly spy on the owner using their own phone’s cameras. For the hijacking to succeed, all the malicious app needs is to be granted data storage permissions.
Google has been lately focusing on securing the user data with the app privacy and the company has employed a more fine-grained permission system that only asked for and granted access to certain hardware capabilities on a case-by-case basis. But unfortunately, a bug reported by Checkmarx last July is able to circumvent that using what looks like a legit non-camera app.
The application would look harmless both to users and to Google’s automated anti-malware systems and it may not even ask for permissions beyond accessing data storage, perhaps to save settings or files. But the bug would allow to hijack camera apps, which also use storage permissions to save photos and videos, and are able to remotely and silently control the camera app to take photos or record videos or even use the camera app’s GPS access to get the phone’s location.
EDITOR’S PICK: OPPO announces ColorOS 7 with lighter visuals, faster UI, & a special Flashback button
Checkmarx researchers, who discovered the flaw, said in its Tuesday analysis: “Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card. There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it’s one of the most common requested permissions observed.”
While the camera app from other OEMs might also be affected, the vulnerability has been named to affect camera apps from Google and Samsung. Following the rules of disclosure, the security research group had already alerted Google about the vulnerability in July, with Samsung acknowledging the bug in August this year. While Google said that the company has already patched the issue, Samsung is yet to give a statement.
UP NEXT: Redmi K30 could feature a side-mounted fingerprint sensor, 120Hz display
(Source)
