Unauthorized activities could be triggered even if a phone is locked, its screen is turned off, or a person is in the middle of a call.
A vulnerability in some Android phones from vendors including Google and Samsung could allow criminals to take control of hundreds of millions of users' smartphone camera apps, enabling them to take photos, record videos and audio, and deduce locations — all without users' knowledge or consent.
In a blog post Tuesday, Checkmarx researchers Erez Yalon and Pedro Umbelino described how they "cracked into the applications themselves that control these cameras to identify potential abuse scenarios." They found permission bypass vulnerabilities, designated CVE-2019-2234, initially in two Google Pixel models that could allow a malicious actor to control the camera and gain access to stored photos, videos, and GPS metadata. The unauthorized activities could be triggered, the researchers wrote, even if a phone is locked, its screen is turned off, or a person is in the middle of a call. They went on to discover other phones running the Android operating system, including those from Samsung, had the same issue.
Yalon and Umbelino provided a proof-of-concept app that demonstrated how the vulnerability could be exploited. Under responsible disclosure procedures, Checkmarx first notified Google of the vulnerability in July. Google has released a patch for its devices via the Play Store and has made the update available to all hardware partners. Samsung and other vendors were notified in mid-August and have since released fixes.
Read more here.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024