Nowadays, privacy and security of the users have become merely a myth even though there are plenty of systems protecting the security and privacy of the users. Unfortunately, an internet security firm Checkmarx has discovered a vulnerability that could bypass permission issues on Android smartphones and could affect hundreds of millions of devices if not less.
According to Checkmarx, it has discovered a vulnerability with Google Camera app as well as Samsung Camera app that allows bad actors to record videos and snap photos including audio recordings during calls and much more exploiting the said vulnerability.
Since Checkmarx did mention that Google and Samsung smartphone lineup is among the top contenders for the vulnerability, it literally means that hundreds of millions of devices can be affected by the vulnerability.
According to the report, the said vulnerability allows an attacker to harness a rogue application that bypasses the system’s permissions allowing it to capture photos and videos even though it doesn’t have any permissions to access storage or cameras, etc. The app needs storage permission to do the same which is pretty easy for attackers to gain once the vulnerability is tweaked.
In fact, attackers can tag along GPS coordinates with the photos and videos snapped pinpointing the exact location of the victim in an attempt to extort a tonne of money since the scope of the attack could be millions of users. Samsung alone is the largest smartphone manufacturer in the world which gives a rough estimate on what figure we are trying to comprehend.
Checkmarx tried to exploit the vulnerability by creating a malicious weather app with a malicious part and a command and control server part of the app allowing attacked to command and control the attack. Turns out they were able to snap videos even when the victim was on a phone call and was able to record the audio happening during a phone call including what the person on the other side of the call said.
The attackers could also silence the device while taking videos and photos which should go undetected for victims since the phone won’t make any sound while obtaining these snaps. When inquired, Checkmarx found out that although the issue is with Pixel as well, the vulnerability is far wide-spread across the broader Android ecosystem with many camera apps on Android being affected by these vulnerabilities. This gives attackers a wide range of devices since Android currently holds more than a billion devices similar to Apple iPhones.
Google did mention that it has sent the patch via its July 2019 update. Furthermore, Google thanked Checkmarx for discovering this issue since it could have ended worse if the internet security firm wasn’t able to track it in time.