The security research team at Checkmarx has made something of a habit of uncovering alarming vulnerabilities, with past disclosures covering Amazon’s Alexa and Tinder. However, a discovery of vulnerabilities affecting Google and Samsung smartphones, with the potential to impact hundreds of millions of Android users, is the biggest to date. What did the researchers discover? Oh, only a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser.
Google and Samsung camera app vulnerabilities
When the Checkmarx security research team began researching the Google Camera app, on the Pixel 2XL and Pixel 3 smartphones that were to hand, they found several vulnerabilities. All of these were initiated by issues allowing an attacker to bypass user permissions. “Our team found a way of manipulating specific actions and intents,” Erez Yalon, director of security research at Checkmarx said, “making it possible for any application, without specific permissions, to control the Google Camera app. This same technique also applied to Samsung’s Camera app.” The implications of these vulnerabilities, given the footprint of Google and Samsung smartphones alone, presented a significant threat to hundreds of millions of users.
The vulnerabilities themselves (CVE-2019-2234) allowed a rogue application to grab input from the camera, microphone as well as GPS location data, all remotely. The implications of being able to do this are serious enough that the Android Open Source Project (AOSP) specifically has a set of permissions that any application must request from the user and be approved before enabling such actions. What the Checkmarx researchers did was to create an attack scenario that abused the Google Camera app itself to bypass these permissions. They did so by creating a malicious app that exploited one of the most commonly requested permissions: storage access. “A malicious app running on an Android smartphone that can read the SD card,” Yalon said, “not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will.”
How could an attacker exploit these Google Camera app vulnerabilities?
Checkmarx created a proof of concept (PoC) exploit by developing a malicious application, a weather app of the type that is perennially popular in the Google Play Store. This app didn’t require any special permissions other than basic storage access. By just requesting this single, commonplace permission, the app would be unlikely to set off user alarm bells. We are, after all, conditioned to question unnecessary and extensive permission requests rather than a single, common, one. This app, however, was far from harmless. It came in two parts, the client app running on the smartphone and a command and control server that it connects to in order to do the bidding of the attacker. Once the app is installed and started, it would create a persistent connection to that command and control server and then sit and wait for instructions. Closing the app did not close that server connection. What instructions could be sent by the attacker, resulting in what actions? I hope you are sitting down as it’s a lengthy and worrying list.
- Take a photo using the smartphone camera and upload it to the command server.
- Record video using the smartphone camera and upload it to the command server.
- Wait for a voice call to start, by monitoring the smartphone proximity sensor to determine when the phone is held to the ear and record the audio from both sides of the conversation.
- During those monitored calls, the attacker could also record video of the user at the same time as capturing audio.
- Capture GPS tags from all photos taken and use these to locate the owner on a global map.
- Access and copy stored photo and video information, as well as the images captured during an attack.
- Operate stealthily by silencing the smartphone while taking photos and recording videos, so no camera shutter sounds to alert the user.
- The photo and video recording activity could be initiated regardless of whether the smartphone was unlocked.
The Google Camera app vulnerability disclosure timeline
The publication of this disclosure today was coordinated with both Google and Samsung to ensure that both had issued fixes for the vulnerabilities. However, behind the scenes the disclosures started on July 4, when Checkmarx submitted a vulnerability report to the Android security team at Google. On July 13 Google initially set the severity of the vulnerability as moderate, but following further feedback from Checkmarx, this was raised to high on July 23. On August 1 Google confirmed the vulnerabilities impacted the broader Android ecosystem with other smartphone vendors affected, and CVE-2019-2234 was issued. On August 18, multiple vendors were contacted, and on August 29 Samsung confirmed that the vulnerability affected their devices.
What does Google say about the camera app vulnerabilities?
I contacted Google, and a spokesperson told me: “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
I also reached out to Samsung for a statement regarding this disclosure. At the time of publication, no response had been forthcoming, but I will update this article if that situation changes. However, the disclosure of the vulnerabilities was delayed until both Google and Samsung had issued fixes, so if you have the latest versions of your camera app then you should be protected from this attack scenario.
Updating to the latest version of the Android operating system, ensuring you have the latest available security fixes applied, and the latest version of the camera app for your device is recommended to mitigate your risk.
The ‘jaw-dropping’ security expert opinion
I asked Ian Thornton-Trump, a cyber threat intelligence expert and CompTIA global faculty member, for his take on the seriousness of this vulnerability disclosure and how it plays into the broader smartphone security narrative. “My jaw dropped when I read this report about just how vulnerable the camera app was,” Thornton-Trump says, “it did not sound like a vulnerability, it sounded more like an Advanced Persistent Threat (APT) actor with fully-featured spyware.” Indeed, Thornton-Trump observed that had the security researchers been wearing black hats they could easily have monetized this research for hundreds of thousands of dollars. “Everyone is safer today because of the great work and integrity of the Checkmarx researchers,” Thornton-Trump says.
Like most of us, Thornton-Trump is happy that Google issued a fix and issued it quickly, but says that, based upon the severity and comprehensive nature of the vulnerabilities, “it’s time for Google to apply perhaps some of the “Project Zero” capability to dig deeply into the Android OS itself.” There’s little doubt that the high number of Android vulnerabilities being disclosed is hurting the Android brand. The recent ‘White Screen of Death’ problem hasn’t helped in the reputation stakes either. Google needs to do more as far as customer assurance regarding the security and confidentiality of devices running Android is concerned. In the meantime, “anyone with anything to protect needs to update right away,” Thornton-Trump says, “if you can’t update the device due to age or a lack of manufacturer support it’s time for a new device.”