Android users beware: rogue apps could be using your phone’s camera against you, taking pictures and videos without your knowledge and sending them to attackers. They could even record your phone calls and make others aware of your location.
News of the vulnerability, which affects the Android camera app used by millions of Google Pixel and Samsung Android users, comes courtesy of application security testing company Checkmarx which has been working with Google and Samsung to fix it. The company’s researchers figured out a way to hijack the camera on Android phones using a permission bypass vulnerability.
Aware that access to camera functions is highly sensitive, Google created a special set of permissions that the user would have to grant to an application before it could use the phone’s camera. These permissions are:
android.permission.CAMERA
android.permission.RECORD_AUDIO
android.permission.ACCESS_FINE_LOCATION
android.permission.ACCESS_COARSE_LOCATION
The vulnerability that Checkmarx discovered enables apps to bypass the need for those permissions as long as they have storage permissions that enable an application to access the SD card. In a report on the vulnerability, the company explained:
An application that has access to storage not only has access to past photos and videos (which it already had, by permission design, nothing new there), but also has a way to access newly taken photos and videos by abusing the Google Camera app exported components.
This means an app with SD card permissions gets access to the user’s phone, which enables an attacker to turn the camera into a remotely-controlled sensor:
By manipulating the specific actions and intents, an attacker can now control the Google Camera app to take photos and/or record videos through a rogue application that has no permissions to do so.
Certain conditions on the phone could enable them to harvest more data still, the report continued. If the phone’s location data settings embedded location information in the photos’ EXIF metadata, they could access that data and find out where the photos were taken (and therefore where the user has been).
The attack can use the phone’s front or back camera, and can also operate in stealth mode while the lock screen is on.
The team tested out the vulnerabilities by creating their own weather app, which bypassed permissions so that it could take photos and videos. The software had two parts: a client residing on the phone communicated with a back-end command and control (C2) server that enabled the researchers to control its activities on the victim’s phone.
Using the app, the researchers not only took videos and photos with geolocation information but also recorded both sides of a phone conversation, all without the user’s knowledge. The company produced a video detailing the project and outlining some real-world attack scenarios:
Google assigned the vulnerability a ‘moderate’ rating after Checkmarx’s first report in July but subsequently raised it to ‘high’. Then, late that month it agreed with the researchers that the bug might affect other Android OEMs. Samsung confirmed that its phones were subject to the flaw in August.
Both of these vendors have fixed the problem in their own implementations of the Android camera app. Google rolled out the fix in July this year to the Google Play store. Updating your Android OS and camera app to the latest version is always advisable, as is auditing the applications you’re using to see what permissions you’ve given them, and asking whether you’re really ok with that dodgy flashlight or fart app with no reviews having full access to your SD card.
Nonya
So, what about the rest of the Android community who can’t update at all and are stuck on a lower version with all of the bugs that have been found and revealed so far? Not everyone can just run the latest and greatest and shell out cash for a flagship Samsung or Google phone.
Paul Ducklin
That’s a tricky question. Many older devices (and lots of new ones FWIW) are supported by alternative Android verions such as LineageOS [q.v.]. This means you can get an Android install that is free of any proprietary Google code (though you may later want to install enough non-free Google components to get access to the Play Store, which is essentially off-limits to the open source part of Android).
Problem is that some older devices aren’t formally supported by well-known alternative distros either, given that they’re generally done for love not money, so you end up on the horns of a dilemma – do you bin the old device, which feels wrong, even if just environmentally; or do you trust unofficial builds of alternative distros that were knitted together by some unknown, albeit well-meaning, Android enthusiast, which feels scary?
Do you risk having the actual but known bugs that Google isn’t fixing, or do you risky having the possible bugs of a hobbyist coder you don’t know and probably never will?
I’ve used all three alternatives in my time, though never for my day-to-day work phone: official Google Android versions; mainstream Lineage releases; and one-off builds for obscure old phones from someone called Haxx0rRa1nBOW from Kuala Lumpur (I made those details up, of course) whom I have to take on trust but has obviously put in a lot of effort to work around obscure bugs and to fix broken features.
If you are interested, you might want to start browsing through online sites where many alternative Androiders hang out, such as the XDA-Developers [q.v] forums. Even if you are overwhelmed or bemused at first, you might be encouraged to see how many people have “keep old phones running new Android versions” as a hobby…
anon
How is this line of thinking any different than finding ways to keep using an old Windows XP device running safely? It is possible but you have to slim way down on what online things you can do.
Paul Ducklin
The difference is huge because in the Android case you are running a build of *an up-to-date version of the Android open source code with the latest security improvents* – just not Google’s build of it, or the phone vendor’s build of it.
Remember, you have the source code so you can build the latest, fully-patched version even for old devices. (Whether it will work is another story, but at least you are able and allowed to try.)
When you keep an old XP laptop running, you have an old laptop plus the old and long-unpatched OS. You can’t get hold of the Windows 10 source code, so you can’t compile the new code for your old device, so you can only use the old version with all the left-over bugs still in there.
Nonya
Not many people are tech-literate enough to flash a phone enough to unlock their bootloader (Which might not be possible depending on device.) and flash a custom ROM. Many wouldn’t even know where to look for the ROM or even know what a terminal is. These are the main vulnerable people if it’s not a full-blown unasisted Remote Code Execution bug.
Plus, there are tons of downsides to unlocking the bootloader of a device. Some manufacturers disable things like 4K camera and wipe everything you need to watch protected content. There is no going back from that even if you relock your bootloader unless you know about it and knew where to look to make a backup before-hand.
You also make your device inherently a long more insecure by unlocking your bootloader or rooting.
Nonya
*To flash a phone and to unlock bootloader
*a lot more insecure
Paul Ducklin
[a] ‘more insecure’ than what?
[b] ‘flash’ with what?
[c] ‘a lot more’ according to what what evidence?
I hear your concerns, but the fact that it *might* be insecure doesn’t mean that it *will* be… and doesn’t mean that you are putting yourself at more risk simply by doing some online reading to learn what that risk might be. (And see below for my first reply in this thread.)
Paul Ducklin
True. Unlocking your bootloader and then forgetting to lock it again *might* be dangerous. OTOH, carrying on using an eternally-unpatched device with already-known and exploitable permission bypass bugs *will* be dangerous.
However, the OP specifically asked, “What can be done?”
I don’t think I gave the impression it was trivial, or without risk – indeed, I implied it might be both complex and confusing when I wrote ‘even if you are overwhelmed or bemused at first…’
…but I wanted to make it clear that there are lots of volunteers out there who are trying pretty hard to keep old devices usable, secure and out of landfill. Thus my conclusion that ‘you might be encouraged to see how many people have “keep old phones running new Android versions” as a hobby.’
Plus, I suspect that your cohort of ‘at-risk’ users is self-limiting – if you don’t know where to get an unofficial ROM or how to unlock your bootloader then you are unlikely to unlock your bootloader and flash an unofficial ROM by mistake :-)
Amber
Can I ask if a port of the Google Camera for another device like Moto would also have the same vulnerabilities?
Paul Ducklin
Unfortunately, I think the answer is, “It depends.” What version, ported by whom, running on what underlying Android build, and with which features added, removed or altered? Presumably, the vast number of combinations (or do I mean permutations?) and their possible differences are why the researchers stuck to two builds and two vendors, and didn’t try to extrapolate from there…