This dangerous Android vulnerability could, if someone hack your phone’s camera
experts have warned about severalnew vulnerabilities for Google and Samsung smartphones, which could allow an attacker to control a device’s camera app, remotely take photos, Record Videos and even spy on users ‘ conversations and on-the-spot.
The errors were discovered by the check-Marx’s security research team, which initially began the exploration of the Google camera app on a Pixel-2XL-and-Pixel-3, if you discovered multiple vulnerabilities in the authorization bypass issues.
check Marx further digging and found that these vulnerabilities also affect the Samsung-camera-app and Android-smartphone vendors, as well.
Director of security research at check Marx, Erez Yalon and senior security researcher, explains at the company Pedro Umbelino, how you were able to find a rogue app to control the Google camera app is said in a blog post:
“After a detailed analysis of the Google camera app, our team found through the Manipulation of specific actions and intentions, an attacker in control of the app can to photos and/or videos by a rogue application, do not have permissions to.”
“in addition, we found that certain attack scenarios allow you to bypass malicious actors, different storage permission policies, giving them access to videos and photos stored, as well as GPS meta-data, the search images, the user, by selecting a photo or video and analyze the correct EXIF data. This same technique is also applied to Samsung’s camera app.”
make use of to the weak of his Teams found in the Google camera app, check Marx developed a malicious application as a proof-of-concept exploit. The weather app to have it created, requires no special permissions, in addition to basic storage access is requested to a public space permit, many other apps on the Google Play Store. < p>But, in addition to its weather app, check Marx in addition a command-and-control server which the app connects for the purpose of execution of an attacker. Once the app is installed and opened on the user’s device, it creates a persistent connection to the command-and-control server and waits for instructions.
Even if a user close the app, it would be still connected to the server, and an attacker can use the command to take photo, record video, record audio of voice calls, enter the GPS-tags of photos, and access to the data stored on the device. All photos and videos taken by the app would then be uploaded to the server.
The proof-of-concept exploit of check, Marx also an attacker would be created to allow the recording of Videos and taking photos when the smartphone was locked.
Both Google and Samsung have issued Updates for the weak, and to prevent victims of a similar attack, users should update their devices to the latest Android version, make sure you have the latest available security patches have been applied, and update your camera app as well.
Released on Sat, 23 Nov 2019 03:41:44 +0000