Uncovered by a cybersecurity firm, an appalling flaw could turn Android-powered devices into spying goldmines, allowing hackers to secretly snap photos and record footage with no permission required.
No stranger to security loopholes, Android designers worked hard to bar apps from accessing cameras and mics, unless users give explicit permission by ticking corresponding boxes in the operating system’s properties. But a bombshell report by cybersecurity firm Checkmarx showed how trivial it is to bypass those restrictions.
A “rogue application” found not only on Google’s Pixel smartphones, but also on devices from Samsung and other manufacturers, needed no permissions at all to have the camera take pictures and record videos as well as audio records.
Even worse, a hacker could silence the camera shutter to make recording unnoticeable. Hijacking a device was also possible if the phone is locked or the screen is turned off.
The app allowed attackers to remotely upload stolen images and footage to their own servers, requiring the frequently-given permission to access storage.
Disturbingly enough, the flaw, discovered in July but reported this Wednesday, enabled to hijack a phone’s proximity sensor which activates when the device is held up to a user’s ear or lies face down.