The security research team at Checkmarx has made something of a habit of uncovering alarming vulnerabilities, with past disclosures covering Amazon’s Alexa and Tinder. However, a discovery of vulnerabilities affecting Google and Samsung smartphones, with the potential to impact hundreds of millions of Android users, is the biggest to date. What did the researchers discover? Oh, only a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser.
Google and Samsung camera app vulnerabilities
When the Checkmarx security research team began researching the Google Camera app, on the Pixel 2XL and Pixel 3 smartphones that were to hand, they found several vulnerabilities. All of these were initiated by issues allowing an attacker to bypass user permissions. “Our team found a way of manipulating specific actions and intents,” Erez Yalon, director of security research at Checkmarx said, “making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung’s Camera app.” The implications of these vulnerabilities, given the footprint of Google and Samsung smartphones alone, presented a significant threat to hundreds of millions of users.
The vulnerabilities themselves (CVE-2019-2234) allowed a rogue application to grab input from the camera, microphone as well as GPS location data, all remotely. The implications of being able to do this are serious enough that the Android Open Source Project (AOSP) specifically has a set of permissions that any application must request from the user and be approved before enabling such actions. What the Checkmarx researchers did was to create an attack scenario that abused the Google Camera app itself to bypass these permissions. They did so by creating a malicious app that exploited one of the most commonly requested permissions: storage access. “A malicious app running on an Android smartphone that can read the SD card,” Yalon said, “not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will.”
How could an attacker exploit these Google Camera app vulnerabilities?
Checkmarx created a proof of concept (PoC) exploit by developing a malicious application, a weather app of the type that is perennially popular in the Google Play Store. This app didn’t require any special permissions other than basic storage access. By just requesting this single, commonplace permission, the app would be unlikely to set off user alarm bells. We are, after all, conditioned to question unnecessary and extensive permission requests rather than a single, common, one. This app, however, was far from harmless. It came in two parts, the client app running on the smartphone and a command and control server that it connects to in order to do the bidding of the attacker. Once the app is installed and started, it would create a persistent connection to that command and control server and then sit and wait for instructions. Closing the app did not close that server connection. What instructions could be sent by the attacker, resulting in what actions? I hope you are sitting down as it’s a lengthy and worrying list.
- Take a photo using the smartphone camera and upload it to the command server.
- Record video using the smartphone camera and upload it to the command server.
- Wait for a voice call to start, by monitoring the smartphone proximity sensor to determine when the phone is held to the ear and record the audio from both sides of the conversation.
- During those monitored calls, the attacker could also record video of the user at the same time as capturing audio.
- Capture GPS tags from all photos taken and use these to locate the owner on a global map.
- Access and copy stored photo and video information, as well as the images captured during an attack.
- Operate stealthily by silencing the smartphone while taking photos and recording videos, so no camera shutter sounds to alert the user.
- The photo and video recording activity could be initiated regardless of whether the smartphone was unlocked.