Massive Android Exploit Lets Hackers Control Your Camera, Affects ‘Hundreds of Millions’ of Users

A security firm has discovered a major Android exploit that would allow hackers to take control of your smartphone’s camera in the background and use it to take pictures or record video while the phone is locked. The security report reveals that the exploit affects Google and Samsung smartphones, bringing the tally of affected users into the “hundreds of millions.”

According to Forbes, security research firm Checkmarx discovered the Android vulnerability—the “biggest to date”—in early July, and has been working with Google and Samsung to patch the exploit before making their findings public this week.

In essence, the researchers found that a user could take advantage of vulnerabilities in the stock Google Camera app to bypass several very important permissions, taking control of the camera, the microphone, and location data remotely by requesting only one “permission” from the user: Storage Access. Full technical details about the exploit can be found here, but Checkmarx director Erez Yalon summed it up for Forbes:

A malicious app running on an Android smartphone that can read the SD card not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will.

Uh oh…

After discovering these vulnerabilities, the Checkmarx team developed a fake “weather” app as proof of concept. Once a user installed the app and allowed it “storage access,” it would allow the hackers persistent access to the phone, even if the app was closed. Using this access, hackers could take a photo, record video, record calls while recording video, pull GPS tags from all photos taken after the app was installed, and even access stored photos and videos.

All of this could take place silently, in the background, even if the phone was locked.

This was revealed to Google on July 4th, classified as “high severity” by the Android Security team on July 23rd, and on August 1st, Google officially confirmed that this was an ecosystem vulnerability that affected other Android smartphone manufacturers as well.

The good news is, if you’re regularly updating your smartphone, you should already have the patch installed. A Google spokesperson told Forbes that a patch was pushed out in late July and made available to “all partners” shortly thereafter. The bad news? This is one of the most extreme and extensive vulnerabilities anybody has ever discovered in a smartphone, ostensibly worth hundreds of thousands of dollars on the black market.

Thank goodness the Checkmarx team are researchers and not hackers.


Image credits: Header photo by Pathum Danthanarayana, CC0

Discussion