A vulnerability in some Android phones from vendors including Google and Samsung could allow criminals to take control of hundreds of millions of users’ smartphone camera apps, enabling them to take photos, record videos and audio, and deduce locations — all without users’ knowledge or consent.
In a blog post Tuesday, Checkmarx researchers Erez Yalon and Peter Umbelino described how they “cracked into the applications themselves that control these cameras to identify potential abuse scenarios.” They found permission bypass vulnerabilities, designated CVE-2019-2234, initially in two Google Pixel models that could allow a malicious actor to control the camera and gain access to storied photos, videos, and GPS metadata. The unauthorized activities could be triggered, the researchers wrote, even if a phone is locked, its screen is turned off, or the user is in the middle of a call. They went on to discover other phones running the Android operating system, including those from Samsung, had the same issue.
Yalon and Umbelino provided a proof-of-concept app that demonstrated how the vulnerability could be exploited. Under responsible disclosure procedures, Checkmarx first notified Google of the vulnerability in July. Google has released a patch for its devices via the Play Store and has made the update available to all hardware partners. Samsung and other vendors were notified in mid-August and have since released fixes.
Read more here.
Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio