Google and Samsung camera app vulnerabilities exposed

Research by application security specialist Checkmarx has revealed that the camera apps on Google and Samsung smartphones can be hacked.

The findings were published in a blog post by the company, having previously been shared with Google and Samsung to give them a chance to patch the vulnerabilities before the whole world found out about them. So while this isn’t sensational news, because the vulnerability no longer exists, it’s still good PR for Checkmarx and a general Android security wake up call.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” said a statement from Google in the blog. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.” The Indian government must have been disappointed.

Specifically it was found that third party apps could exploit the app permission system, through which new apps ask for your permission to access certain smartphone functions. A loophole allowed apps, once they had got permission to access the camera, to give remote control of the camera to baddies, thus allowing them to record what you’re up to.

“In doing so, our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off,” said the blog. “Our researchers could do the same even when a user was is in the middle of a voice call… Of course, a video also contains sound. It was interesting to prove that a video could be initiated during a voice call. We could easily record the receiver’s voice during the call and we could record the caller’s voice as well.”