Flaws exposed by experts in the Android camera apps provided by Google and Samsung could have been abused by malicious actors to spy on millions of users.
Cybersecurity company Checkmarx stated on Tuesday that its investigators have found a method to misuse Android camera apps to carry out a broad range of espionage activities.
The attack was conceivable thanks to a spate of flaws jointly tracked as CVE-2019-2234. The research was carried out on Google’s Pixel phones, but it was subsequently found that the camera application on Samsung smartphones was also impacted.
Checkmarx showed the effect of the flaws by making a false weather application that only needs storage approvals.
Misuse of the camera app susceptibilities and having storage permissions allowed the malicious application to take a photo using the victim’s camera, record a video, and record both sides of a voice call.
The weather app made a consistent linking to the attacker’s server, which would not be done when the false application was closed, thus letting the hacker continue spying on the victim.
Usually, an application would have to request camera, microphone, location and storage permissions to be able to do these activities, but CVE-2019-2234 made it possible to avoid authorizations by mistreating the default camera app.