A security vulnerability in the Android system allowed hackers to exploit the phone’s camera app even without the user’s permission. This Android vulnerability was found on the Google Camera app and Samsung’s camera app.
The Android vulnerability was classified as CVE-2019-2234 and it was discovered by Checkmarx Security Research Team. The security researchers discovered that the Pixel 2 XL and Pixel 3 camera app had permission bypass issues. The same vulnerability was found on the Samsung camera app as well affecting hundreds of millions of smartphones.
This Android vulnerability allowed hackers to take control of the smartphone’s camera and use it to capture photos and record videos as well. Hackers could manage this through a rogue Android app. Checkmarx also discovered that hackers had the potential to access videos and photos saved on the phone. More intricate details like the GPS metadata and EXIF data of the photos could be attained by hackers.
Since photos and videos are usually stored on SD card hackers could easily access them. Checkmarx also explained how storage permissions for SD card data can be easily exploited. This exploitation could take place even during voice calls where the hacker could record the entire conversation of the caller and receiver both.
“In doing so, our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call,” Checkmarx explained.
After having informed Google about the vulnerability, the company patched this bug through an update for the Google Camera app in July. The same was provided for other Android manufacturers as well.