Cybersecurity firm checkmark has recently discovered an unexpected vulnerability in Andriod OS which allows hackers to take control of your Samsung’s camera, record phone calls, or a GPS system that is used to track the device. The vulnerability affects Google’s Pixel other than Samsung, whose camera app can be exploited with the same degree. Samsung provided the security patch for the app in the November 2019 security update which is currently rolling out on different Galaxy devices. The vulnerability is labeled CVE-2019-2234 but was not acknowledged in the changelog for the latest security patch for secrecy reasons. However, now that a fix is already being deployed, Checkmarx has been given the green light by both Google and Samsung to make these findings public.
On July 04, 2019 the Android security team at Checkmarx submitted a report with proof to the Android. A week later, Google Google acknowledged CVE-2019-2234 to be of moderate severity, but on July 23 the company raised the severity level to High after Checkmarkx sent further feedback. Later on, Google confirmed that security vulnerability is also affecting other Andriod devices as well. On August 29, Samsung confirmed that its phones are also affected.
In essence, the vulnerability at hand can be exploited by a malicious app without requiring any special permission from the operating system, making it highly dangerous. The Camera app on Android OS takes advantage of special permissions, i.e. ‘storage permissions’ to capture and store photos and videos to the internal storage/SD card. A malicious app that also has storage permissions can exploit this vulnerability and gain access to the camera without requiring permission from the user and access all stored photos and videos.
Using a proof-of-concept app coupled with a command-and-control (C&C) server, Checkmarx discovered that vulnerability poses a major concern for user’s privacy. A malicious app could take photos and record videos using the affected phone’s cameras, and upload them to the server. An attacker could also locate the phone on the global map via GPS, and automatically record phone calls with both sides of the conversation. The app can do all of this in stealth mode whereby it silences the phone whenever it captures photos or records videos. It all sounds pretty scary, but the report by Checkmarx didn’t mention any name or app so we don’t know if that exists in our phones or not but this vulnerability has already been fixed by Samsung so things seem to be fine so far.