Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/5/2020
04:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Android Camera Bug Under the Microscope

Critical Android vulnerability CVE-2019-2234 could enable attackers to take control of a victim's camera and take photos, record videos, and learn location.

Before it was patched last year, critical Android vulnerability CVE-2020-2234 could have given attackers the means to access the camera app in some smartphones from vendors including Google and Samsung. A criminal could exploit this to take photos, record videos and audio, or learn the victim's location without their knowledge or consent.

This vulnerability could be exploited even if the phone was locked, its screen was turned off, or if the person was on a call, explained Erez Yalon, director of security research at Checkmarx, where a team of researchers discovered the flaw last summer. Yalon offered a hacker's perspective of discovering and reporting the flaw in a talk at this year's virtual Black Hat Asia.

Related Content:

Singapore Asks Big Cybersecurity Questions to Improve National Defense

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: CFAA 101: A Computer Fraud & Abuse Act Primer for InfoSec Pros

He began his discussion of the permission bypass vulnerability with a simple command to the Google personal assistant (PA): "Take a selfie," he said. 

These commands have two kinds of intent: "explicit intent" calls for a specific action by a specific application. This command had "implicit intent," meaning when a user voices the command, an app will interpret and act on it. In this case, the PA set an intent for a selfie; the camera app caught it and opened the camera. 

Because this involves communication between applications, some permissions must be in place for that to unfold. "The purpose of permissions is to protect the privacy of an Android user, and Android apps must request permission to access certain system features such as camera and Internet," he said.

There are several steps a developer has to take to ensure permissions are implemented: they must declare the need for permissions, then check whether the permission is granted. If it's not, they must request access to camera, contacts, or whatever the app needs. To discover this bug, researchers had to dig to learn where permissions should have been enabled but were not.

Finding the Flaw

The first step to finding a hole in any system is typically rooting through a lot of code, Yalon explained. In this case, they began by analyzing exported activities, which are activities that can be called and matched to an intent. Each activity has several attributes; however, the export "true" or "false" will indicate whether a particular activity will be exported or not, he said.

Google's camera app provided many exported activities, which makes sense because it interacts with several different apps, he continued. Yalon and his team of researchers investigated further and noticed these activities mapped into different classes.

"When we dug inside this code, we managed to find different actions inside these classes, but not all of them are protected," Yalon explained. "We were looking for the classes and actions that did not have permission checks, and we actually found some."

The camera did care who took a photo, they learned, but didn't check for the same permissions when starting the video camera, which immediately began recording – no questions asked; no permissions needed. They also found they didn't need permissions to switch between the front-facing and back-facing cameras. 

While taking a photo was tricker sans permissions, it wasn't impossible. Researchers found by using the photo timer, they could bypass the permissions requirement and snap a picture.

With these findings, they decided to build a rogue application that could exploit these flaws while hiding inside another benign application. This rogue app, dubbed Spyxel, was purely for research purposes and never appeared on Google Play. Spyxel did not require any special permissions or access but could still take picture or videos at will, Yalon said. The researchers built in a background process to ensure the app would remain persistent at all times.

How Spyxel Remained Stealth

There were a few issues with keeping this malicious app under wraps. The camera app usually appears onscreen, it makes a shutter sound when taking a photo, and it stores media on the user's device – a clear sign that something could be wrong.

To bypass the first hurdle, researchers requested the rogue app to only record images or video when the user's screen was covered. The smartphone's proximity sensor can tell when something is close to the screen and detects when it's turned upside down or slipped into a pocket. With this step, Spyxel would only record when the user isn't paying attention. 

The shutter proved a challenge. "The phone cannot be muted without the right permission, and that makes sense," said Yalon. "You don't want any application to shut up your phone."

While the researchers weren't able to mute the shutter sound entirely, they found that without any permissions they could lower the volume until it reached complete silence. This was a clear issue, given muting wasn't possible without permission, and Google issued another CVE for the problem.

Most applications on Google Play use storage permissions; the camera app uses these to store media files. This was the only permission the team felt good about using in their rogue app, since most people grant storage permissions to smartphone applications. 

This also provided a segue into learning victims' location. Most pictures and videos have a location geotag embedded in the metadata, Yalon explained. It's turned on by default in most phones and in this case, gave the researchers a lot of information. They found they could use the metadata inside the pictures to keep tabs on a target phone. 

"We actually evolved the targeted phone into a tracking device," Yalon says. With a list of photos and videos, and their specific geolocation data, researchers could plot the phone's movements over time. All they would need is a victim to download the rogue app and run it once, so it could stay persistent in the background.

Checkmarx reported the vulnerability to Google in July 2019. It was first rated as moderate by Google but later updated to severe following a demonstration and feedback from the Checkmarx team. In August, Google issued CVE-2019-2234 and contacted other Android phone vendors who may have been exposed. Samsung was the only vendor to confirm it was affected.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
CVE-2020-26278
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
CVE-2021-1235
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
CVE-2021-1241
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1247
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.