Technology
Forget Pegasus, camera on your Android phone can spy on you
New Delhi, Nov 21
WhatsApp snooping via Israeli spyware Pegasus has shown smartphones have become new-age surveillance tools and now, security researchers have identified that selfie camera in your smartphone can easily spy on you.
According to Erez Yalon and Pedro Umbelino, security researchers at cyber security firm Checkmarx, they have found vulnerabilities impact the camera apps of smartphone vendors like Google Pixel and some Samsung devices in the Android ecosystem, presenting significant implications to hundreds-of-millions of smartphone users.
Both Google and Samsung have issued a security patch for the vulnerabilities.
"Having a Google Pixel 2 XL and Pixel 3 on-hand, our team began researching the Google Camera app, ultimately finding multiple concerning vulnerabilities stemming from permission bypass issues," said Yalon.
After further digging, they found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem - namely Samsung.
After a detailed analysis of the Google Camera app, the team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so.
Additionally, they found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, "as well as GPS metadata embedded in photos, to locate the user by taking a photo or video".
It is known that Android camera applications usually store their photos and videos on the SD card. Since photos and videos are sensitive user information, in order for an application to access them, it needs special permissions: storage permissions.
"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card. There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos," said the researchers.
It means that a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken.
Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user.
Google said that "We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure.
"The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners," the company said.
Samsung has also patched the vulnerability, said the researchers.
According to Erez Yalon and Pedro Umbelino, security researchers at cyber security firm Checkmarx, they have found vulnerabilities impact the camera apps of smartphone vendors like Google Pixel and some Samsung devices in the Android ecosystem, presenting significant implications to hundreds-of-millions of smartphone users.
Both Google and Samsung have issued a security patch for the vulnerabilities.
"Having a Google Pixel 2 XL and Pixel 3 on-hand, our team began researching the Google Camera app, ultimately finding multiple concerning vulnerabilities stemming from permission bypass issues," said Yalon.
After further digging, they found that these same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem - namely Samsung.
After a detailed analysis of the Google Camera app, the team found that by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permissions to do so.
Additionally, they found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, "as well as GPS metadata embedded in photos, to locate the user by taking a photo or video".
It is known that Android camera applications usually store their photos and videos on the SD card. Since photos and videos are sensitive user information, in order for an application to access them, it needs special permissions: storage permissions.
"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card. There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos," said the researchers.
It means that a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken.
Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user.
Google said that "We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure.
"The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners," the company said.
Samsung has also patched the vulnerability, said the researchers.

4 hours ago
Parliament passes Waqf (Amendment) Bill-2025 after lengthy deliberations in Rajya Sabha

7 hours ago
John Brittas MP Slams BJP During Rajya Sabha Debate on Waqf Bill

8 hours ago
Breathing difficulty: Former Minister M. M. Mani hospitalized.

9 hours ago
World Rat Day: Do you know this interesting fact about rats? This is the reason why this day is celebrated!

9 hours ago
CMRL-Exalogic financial transaction: Union Ministry of Corporate Affairs grants permission to prosecute Veena Vijayan.

15 hours ago
US Commerce Secy Lutnick evades India tariff question post Trump's announcement

15 hours ago
Siv Panicker wins as Plainfield Village Trustee in Illinois

15 hours ago
USCIS Updates Policy Manual to Recognize Only Two Biological Sexes: Male and Female

15 hours ago
Dr. Nandita Shah Empowers Audiences to Reverse Chronic Diseases Through Food in Transformative Full-Day Wellness Seminar

16 hours ago
Lt. Governor Aruna Miller Hosts the First Substance Use Awareness Rally In Annapolis

19 hours ago
Akshay Kumar fights against British Empire post Jallianwala Bagh massacre in ‘Kesari Chapter 2’ trailer

19 hours ago
Divya Pillai plays Annie Benjamin in Mammootty’s ‘Bazooka’

19 hours ago
Yami Gautam shares a beautiful moment from her wedding with the ‘Raja Babu of her life’