The camera experience is one of the most important features on phones these days, and all smartphone vendors out there are in a race that has no end in sight to deliver the best mobile camera in the world. Google and Samsung are two of the leading contenders in this contest, but it turns out that Pixel and Galaxy phones suffered from a severe security issue that could have allowed hackers to access all photos and videos on a device without the user’s knowledge. Moreover, hackers could activate the camera in real-time to extract information such as the user’s location, or record voice calls. The security was a lot broader than Google and Samsung phone, Google explained. And while Google Camera patches were issued to mitigate the problem, it’s unclear whether the vulnerabilities discovered can be used to target other Android devices.
In a blog post on CheckMarx, the security researchers explained how they were able to bypass the restrictions in place on Android phone and access information that shouldn’t be available to anyone.
The hackers used a rogue Android app connected to a command and control center of their own making to demonstrate the vulnerability and extract data from the targeted phone. To work, the hack requires the user to install a malicious app first, one that could access all the photos and videos from a device.
By requesting storage permission only, the rogue app would be able to access all user content on a microSD card, where photos and videos would be located on some phones. GPS data could easily be extracted from the images if the feature is enabled in the camera app.
Also, the researchers demonstrated an attack where they’d be able to detect calls, by looking at the phone’s proximity sensor activity, and then start recording video that could include audio from both sides of the conversation.
When notified, Google said the vulnerabilities were not specific to the Pixel products, and the impact was “much greater and extended into the broader Android ecosystem.” Samsung also acknowledged the issues.
The Google Camera app was patched in July, once Google was notified, and the patch was made available to all partners. According to CheckMarx’s timeline of events, multiple smartphone vendors were contacted about the issue. Samsung confirmed the findings on its own.
What the researchers can’t say, however, is whether anyone else abused Android similarly in the past to spy on certain people. Not to mention that there might be millions of devices at risk out there, assuming hackers actually attempt to recreate this particular attack.