Google Admits That “Others” Can Access The Camera On Samsung & Android Smartphones
Google Admits That “Others” Can Access The Camera On Samsung & Android Smartphones by Alanna Ketler for Activist Post
- The Facts: Hackers have successfully been able to access the front facing cameras on Google and Samsung phones without permission from the user and regardless of whether or not the phone was unlocked. They were able to take pictures and record video.
- Reflect On: Why should you care? This is an outright invasion of our right to privacy. If we continue to willingly give up all our rights, soon we won’t have any left.
As handy as they are, our smartphones are literally portable tracking devices. Equipped with GPS technology, people can easily be located; and for most Android users a record of where they’ve been each day since they’ve had their fancy phones is stored online. If that’s not creepy enough, the microphones on our phones are also able to record our conversations because they are listening even when we don’t think they are. Finally, you know those handy front-facing cameras often used to capture the perfect selfie? Recently, researchers have revealed how this camera can be used to spy on users. Who would have thought?
The security research team from Checkmarx has uncovered a major vulnerability that is affecting Google and Samsung smartphones and has a potential to impact the hundreds of millions of Android users across the globe. Apparently, it’s now fixed, but the researchers discovered a way for a hacker to take control of the front-facing camera and remotely take photos, record video, listen in on your conversations and more. All happening silently in the background without your awareness.
And, although it’s important to note that the following is merely speculation, if hackers have the ability to do this, then you better believe that the NSA and other high-level government agencies are able to do the same thing.
What Did The Checkmarx Security Research Team Find?
Their research began on the Google camera app on the Pixel 2XL and Pixel3 smartphones, they found a few vulnerabilities which were initiated by allowing an attacker to remotely bypass user permissions. Apparently, facial recognition, fingerprint and password security are not as secure as we’ve been led to believe.
“Our team found a way of manipulating specific actions and intents,” Erez Yalon, director of security research at Checkmarx said, “making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung’s Camera app.”
Davey Winder, from Forbes.com explains how an attacker is able to exploit the Google Camera app vulnerabilities,
Checkmarx created a proof of concept (PoC) exploit by developing a malicious application, a weather app of the type that is perennially popular in the Google Play Store. This app didn’t require any special permissions other than basic storage access. By just requesting this single, commonplace permission, the app would be unlikely to set off user alarm bells. We are, after all, conditioned to question unnecessary and extensive permission requests rather than a single, common one. This app, however, was far from harmless. It came in two parts, the client app running on the smartphone and a command and control server that it connects to in order to do the bidding of the attacker. Once the app is installed and started, it would create a persistent connection to that command and control server and then sit and wait for instructions. Closing the app did not close that server connection. What instructions could be sent by the attacker, resulting in what actions?
I hope you are sitting down as it’s a lengthy and worrying list.
- Take a photo using the smartphone camera and upload it to the command server.
- Record video using the smartphone camera and upload it to the command server.
- Wait for a voice call to start, by monitoring the smartphone proximity sensor to determine when the phone is held to the ear and record the audio from both sides of the conversation.
- During those monitored calls, the attacker could also record video of the user at the same time as capturing audio.
- Capture GPS tags from all photos taken and use these to locate the owner on a global map.
- Access and copy stored photo and video information, as well as the images captured during an attack.
- Operate stealthily by silencing the smartphone while taking photos and recording videos, so no camera shutter sounds to alert the user.
- The photo and video recording activity could be initiated regardless of whether the smartphone was unlocked.
Of course, when Google was confronted about this alarming issue they seemed glad to hear about it so that they could fix the problem, telling Winder after he reached out,