Bug in Google Camera put Android clients in danger of being secretly recorded

Not one to let Facebook excel, Google has revealed a powerlessness in Android which made it workable for programmers to seize your camera, and furtively catch photographs and record film — in any event, when the phone is bolted or the screen is off.

The bug, found by scientists from Checkmarx, stemmed from authorization sidestep issues in the Google Camera application. The issue (recorded under CVE-2019-2234) influenced Pixel telephones, yet further overflowed to devices from Samsung and different producers.

“An attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so,” the specialists compose. “Additionally, we found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data.”

The security firm has shown a Proof-of-Concept of the assault in a video uploaded to YouTube.

Google has since affirmed the issue, expressing gratitude toward the analysts for their work. Interestingly, the bug has just been resolved.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” the company said in an announcement. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

All things considered, perhaps Google’s Project Zero scientists should get a break from discovering bugs in iOS to deal with their own security misfortunes, so others don’t have to.

Disclaimer: The views, suggestions, and opinions expressed here are the sole responsibility of the experts. No Digi Observer journalist was involved in the writing and production of this article.

Leave a Reply

Your email address will not be published. Required fields are marked *