Android camera app can be hacked to spy on you, show researchers
A recent report shows how the camera app on Android can be hacked
An attacker could trigger the camera to record video or take photos
They could also access stored photos, GPS metadata, etc.
An attacker hacking into your Android phone’s camera app to view your surroundings and record you is a scary thought but more likely than you probably thought. A recent report published by Israeli security research firm Checkmarx reveals that the camera app from Google and Samsung contains vulnerabilities, which, when exploited, could allow an attacker to gain complete control over the app even if the app’s permissions (for storage, location, etc.) are locked.
In a detailed report and video published a few days ago, the researchers at Checkmarx demonstrate that their mock-up app—a seemingly harmless weather app—was able to hijack the default camera app on a Google Pixel 2 XL running Android 9 Pie. The video shows that Checkmarx’s app was able to record videos, take photos, bypass the camera app’s permissions, access stored media, and retrieve the user’s location through the media file’s GPS metadata.
The report mentions that this sort of a hijack is possible with Samsung’s camera app as well. The report goes on to mention that Google responded by acknowledging the problem and letting Checkmarx know that a fix had already been sent out in July earlier in the year. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
In the video, the researchers also show a real-life scenario in which this sort of an attack could be dangerous to the user and their data. In the video, an attacker is seen making a call to the victim. When the victim places the phone against their ear, the attacker runs the mock-up hijack app to record video through the phone’s rear camera. The recorded video captures the sensitive data that’s viewed on user’s external display, thus letting the attacker steal data using the hijack app.
Vignesh Giridharan
Progressively identifies more with the term ‘legacy device’ as time marches on. View Full Profile