Google reports that a bug that allowed hackers to take control of Android phone camera, microphones, and access GPS location without the consent of their owners has been patched.
The vulnerability was discovered by the security firm Checkmarx, which noticed many bugs in the Google Camera software that enabled them to spy on their users. Checkmarx also stated that the bug impacts hundreds of millions of smartphone users, including those using Samsung phones.
Researchers have discovered a disturbing security flaw that could cause certain Android apps to spy on users without them knowing.
The vulnerability enables an intruder to take control of the android phone camera and take pictures or record videos through a rogue program without the consent of the user.
According to the firm, the team found that an intruder to manipulate an app into taking pictures and filming videos without authorization by exploiting the bug.
What Checkmarx Observed: Image-Embedded GPS Metadata
Checkmarx also observed that in some situations, hackers could view stored videos and photos and see image-embedded GPS metadata that can give away the location of the user.
The company was able to use a mockup weather app to exploit such bugs, which only required simple storage permission from an Android user. Storage rights are extensive and give unrestricted access to the users’ SD card. Other private data could also be access using this hack.
Use of Camera License
“Without a camera license, a rogue application can take pictures and videos
Without hassles. Furthermore, the rogue application also has a way to access the current GPS position of the phone and user when placing them on the app,” the security team said.
After finding the vulnerability, the firm told Google that, after reviewing the issue, it discovered that the bugs were “not unique to the Pixel product line” and that “the effect was much larger and applied to the wider Android ecosystem.”
Since then, the tech giant has patched bugs and praised the security firm for finding the problem.
“We understand that Checkmarx is bringing this to our notice and partnering with Google and Android partners to organize transparency,” said Google spokesperson. “The problem was solved in affected Android users through the Google Camera Software Play Store update in July 2019. The fix was also made available to all parties.”
Samsung has also issued updates to address this problem since it was found.
“We appreciate Checkmarx’s attention in co-ordinating divulgation and work with Google and Android partners,” a spokesperson for Google said in a statement. “The issue in July 2019 was tackled by issuing an update for the Google Camera application on the affected Google device through a Play Store. Patches were also provided for all partners,” said Samsung at CNN Business.
“We urge all customers to update to the latest software on their smartphones to guarantee maximum protection,” a Samsung spokesperson said.