Massive Android flaw left Camera app vulnerable to hijackers


Pixel 3a
Here's another reason to ditch Android.
Photo: Google

Security researchers revealed a huge vulnerability in Google’s Android operating system that could have allowed hackers to access users’ photos and camera without their knowledge.

The camera app vulnerability was potentially on hundreds of millions of Android phones and tablets. Tech security firm Checkmarx highlighted the dangers of the flaw by creating a proof-of-concept weather app that can record phone calls, snap photos and pictures and send all the data to a remote server.

Samsung and Google coordinated with Checkmarx on the bug’s disclosure. The issue affected both
Google Camera and Samsung Camera apps. Google released a patch for the vulnerability, known as CVE-2019-2234, in July of 2019.

Checkmarx found that Android allowed apps to use the Camera app and content connected to it when they only had ‘Storage’ permissions. Hackers could have used the flaw to take photos, record videos, pull GPS data from photos and automatically record phone calls. Here’s a video of the team hacking the Pixel camera.

After discovering the bug on Pixel phones, the team then checked out other Android phones and found it was present on Samsung’s devices too.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”



Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.