How it works?
Android camera applications usually store their photos and videos on the SD card: in order to access SD card, it needs a permissions called "storage permissions" .
Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card.
This means that a malicious application can require access to storage, and grab photos and/or videos without specific camera permissions.
Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user.
Researchers from Checkmarx discovered that, manipulating specific actions and intents through a malicious application, an attacker can control the Google Camera app and take photos and/or record videos with no permissions to do so .
The same technique can also used on Samsung’s Camera app.
Research team realized a PoC, creating a client-part that represents a malicious app running on an Android device, and a server-part that represents an attacker’s command-and-control (C&C) server:
The malicious app we designed for the demonstration was nothing more than a mockup weather app that could have been malicious by design. When the client starts the app, it essentially creates a persistent connection back to the C&C server and waits for commands and instructions from the attacker, who is operating the C&C server’s console from anywhere in the world. Even closing the app does not terminate the persistent connection.
The operator of the C&C console can see which devices are connected to it, and perform the following actions (among others):
- Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
- Record a video on the victim’s phone and upload (retrieve) it to the C&C server
- Parse all of the latest photos for GPS tags and locate the phone on a global map
- Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
- Wait for a voice call and automatically record:
- Video from the victim’s side
- Audio from both sides of the conversation
Note: The wait for a voice call was implemented via the phone’s proximity sensor that can sense when the phone is held to the victim’s ear.
Checkmarx also released an interesting video of the PoC:
I there a fix?
Once discovered the vulnerability, and verified reproducibility and exploitability, research team notify Google of their findings.
According with Google response, the issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019.
A patch has also been made available to all partners.
So, ensure you update all applications on your device!