Researchers have disclosed a high-severity issue that could allow attackers to hijack the Google Camera App, the built-in smartphone camera for Android phones. The issue was fixed for Google-manufactured phones in July – but Google said patches are still rolling out to smartphones in the broader Android ecosystem, including to Samsung phones.
Researchers found that when a third-party application requests “storage permissions” from an Android phone user, it is able to access the camera, record video and access geolocation data embedded in stored photos. An app would normally need users to grant specific permissions for each of these functions (such as the android.permission.CAMERA, android.permission.RECORD_AUDIO, android.permission.ACCESS_COARSE_LOCATION and android.permission.ACCESS_FINE_LOCATION); however, the “storage permissions” bundles in all these permissions automatically, unbeknownst to Android users.
Listen to Threatpost’s interview with Checkmarx security head Erez Yalon, about the hack (or download direct here).
“Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card,” said Checkmarx researchers, who discovered the flaw, in a Tuesday analysis. “There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it’s one of the most common requested permissions observed.”
All an attacker would need to do to exploit this is create an app and lure victims into downloading it. Researchers for their part created a proof of concept (PoC) app – a mock weather app – that only requested the basic storage permissions from users. After that was granted, the app was then able to take photos and record videos on the victims’ phone (even if the phone is locked and the screen is turned off), access stored videos and photos, and the GPS metadata embedded in stored photos (to potentially locate the users).
While researchers confirmed that Google Pixel and Samsung smartphones are impacted, they said that the issue affects the broader Android ecosystem, “presenting significant implications to hundreds of millions of smartphone users.”
Researchers reported the flaw on July 4 to Google’s Android security team. On Aug. 18, multiple vendors were contacted regarding the flaw, and on Aug. 29 Samsung confirmed that its phones were affected.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson said in a media statement. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Samsung did not respond to a request for comment from Threatpost.
Below is a lightly-edited transcript of Threatpost’s podcast (above). Also download the podcast directly here.
Lindsey O’Donnell Welch: Welcome back to the threat post podcast. You’ve got Lindsey O’Donnell Welch with Threatpost here and I’m joined today with Erez Yalon, who heads the security research group at Checkmarx, Erez. Thank you so much for joining us today.
Erez Yalon: Hi, Lindsey. Great being here.
LO: Great. Erez, you’re here today to discuss some new research that Checkmarx just released today, in fact, regarding a new vulnerability that could allow attackers to hijack Android cameras and potentially even spy on Android users. And you know, researchers discovered multiple concerning high-severity vulnerabilities that stemmed from the permission bypass issue in a Google camera app. So first of all Erez can you tell us kind of the backstory of this research? Were you looking specifically for Android camera vulnerabilities? Or was this something that researchers just kind of stumbled upon?
EY: Okay, so in Checkmarx what we do, we’re an application security company. Some of what we do as a research team in Checkmarx is look outside, look in the wild and see what is the state of security currently with software. In these days, we all know that software is really everywhere. We have it from web applications to mobile applications to IoT and everywhere, actually.
So every now and then we take a look and make a deep dive into a specific website or mobile operating system. And this time, we kind of targeted the native applications that come with with a Pixel phone, a Google Pixel phone. And we look at the applications that actually come by default with the phone. And one of the things we noticed is a small permission issue with the camera application of the phone. We noticed that by doing some manipulations of the intent, of the actions, a rogue application or malicious application would be able to ask to take a picture without actually having the right permissions for it. Soon after, we escalated that and noticed that we can do the same by taking a video without permission, by recording a video.
Since we managed to do that also, while a phone call is taking place, we could eavesdrop to conversation of both sides during the phone call. And also, from the pictures we managed to take without permission, we managed to get the geolocation, so we could actually see and track, let’s say the victim. To top it all, this is something that we managed to do when the screen was off, and even when the phone was locked. So it’s a serious breach of privacy. And the victims would not even be able to tell that something is going on.
LO: So it seems like in terms of permissions that attackers could specifically circumvent, you focused on taking pictures, taking videos, and then was well, you also focused on the various storage permission policies. Is that what linked to the geolocation that you mentioned too in terms of collecting that GPS metadata?
EY: So the only permission that we needed to complete the entire exploit was the storage one. The thing is that I think most of the application these days, request the storage permission. Some of them are not necessarily regarding pictures or videos. And this is not something that will raise any suspicion or red flags with a user. But when we got the storage permission, it was very easy to get pictures and videos taken in live or from past sessions, and to get all the information from them.
LO: So talk about how an attacker could launch this attack, right? Because you mentioned that this could be done using kind of a “rogue app.” So could an attacker potentially create an app, have a victim download that and then utilize this permission bypass vulnerability to attack them?
EY: Yes, this is exactly the vector of attack. The application we created was kind of a fake weather app. But it could be also anything else. Any game or a calculator or whatever other application you can think of. It can work normally and looks like it’s just benign and just doing what it’s supposed to do, and then in the background, create this privacy breach that we discussed.
LO: And a potential victim wouldn’t even see anything? Or would they see the storage permission but not see that that implies that an attacker could have those broader set of storage permissions or what would a potential user see from from their standpoint?
EY: Okay, so that’s interesting. And that was kind of fun for us as researchers because it was kind of an evolution of the attack. First we managed to invoke a selfie, but obviously, the victim would both see the screen taking a picture and also hear the click of the shutter of the camera. Soon after that, we managed to remove the sound of the shutter and make it more stealthy.
And after that, we also manage to make sure that the pictures and videos are only taken when the screen is either covered or during a phone call when we know that the victim would not see it. As you said, the storage permission is nothing that would raise the red flag. And also after taking a video or a picture without the victim knowing, that we could have deleted it from the storage after sending it to the hacker. So there is absolutely no trace.
LO: Right. And I feel as though that’s the most disturbing part of this research is the fact that it’s completely stealthy, and there’s really no red flags for a potential victim to notice if they were part of this potential hack. So that’s really interesting. Now you guys were using the Google Pixel 2 XL on the Google Pixel 3 when you started researching the Google camera app, but then you found after further digging that the same vulnerabilities are on camera apps of other smartphone vendors, right? How many vendors are potentially impacted?
EY: Our research was, as I told you focused around the Google Apps. After disclosing everything to Google – and I’ll be happy to discuss also their response – But one of the first steps was we kind of suspected that other vendors from the Android ecosystem would also be vulnerable with their own camera applications. Google confirmed that might be the issue. And they actually contacted all the vendors of the Android ecosystem. They indeed told us that there are some vendors that are affected by the same thing. Only Samsung confirmed they’re affected. So we did our disclosure also to them and worked with them on the solution and on the publication. Other vendors did not say that they’re also affected. And we did not actually bother to check because our goal is basically to let everyone know that they need to check their apps. And we’re hoping we managed to do that. There might be other companies that have.
LO: Yes, I mean, speaking of disclosure, you mentioned in the research that when you reach out to Google, you had a positive experience in terms of disclosure and rolling out patches, can you talk a little bit about what they did to mitigate the issue and the process of rolling out those fixes.
EY: So both Google and Samsung are very researcher friendly, let’s say it like that. It’s very easy the process for us as researchers and security researchers to to contact them and disclose our findings. Usually they are very serious with triaging the issues. And the same happened here. Quite quickly, they triaged it and decided that this the severity of this issue is high. And not surprisingly, of course, and started working on the patch while collaborating with us. The first release of the patch fixed the issue, but they were not sure that it does not break other functionalities. So we decided to wait with the publication until they release the final patch. Also, meanwhile, Samsung kind of joined the discussions and asked us to wait even more, more than the usual 90 days that we usually give to the vendors because the process of rolling out the the patches and the fixes for a large vendor like Samsung. It’s very complex. And we definitely understood that. And since we don’t want to put anyone in danger, we decided to wait with the publication and this is why we’re going out only now with the approval and green light of Google and Samsung.
LO: And when did you first discover the vulnerability, just for some context around the timeline here?
EY: The first vulnerability was found in June, around June and the initial fixes rolled out about a month later.
LO: For me, one of the kind of overarching issues that this report points to is, obviously this vulnerability, but you know, also mobile app permissions and how it’s possible for, in this specific instance, any application without specific permissions to control the Google camera app, and force it to take photos or record videos. But when it comes to third party app permissions in general, I feel like this is really becoming a bigger issue in terms of data privacy and data collection, especially because videos and photos are so personal.
So what are some of the overarching issues that you’re seeing around mobile app permissions or mobile privacy today, because I hate to say it, but when I am faced with a lot of mobile app permissions, you’re just so inundated by third party apps asking for access to certain things that it’s easy for consumers just to kind of click ‘okay’ without looking further into what the implications are there.
EY: Yeah, so let’s start with your last sentence, we definitely see consumers and users affected by we call it “permissions fatigue.” It came to the point that no matter what permissions people are being presented with, if they really want the app, they will probably say, okay, especially if they’re not really, they don’t really understand what it means. Definitely if there are children or the specific app is, is really trending. I’m not sure we will be able to fix it. This is something that we need maybe to put more more focus and awareness on and education of consumers. And we would also expect Google and Apple to check the permissions and then the activities that the application in their stores are requiring. And if it makes sense. Again, it’s not an easy challenge. But in general, try to download only applications that you really feel secure about. And if not, just don’t be surprised if something happened.
LO: And what would your recommendations be for anyone using Google camera app in terms of patches? Are these patches automatic at this point, or do they need to update?
EY: The patches are released as app updates. So if users have automatic updates on your phone turned on then they should be safe. If not, turn it on and to update all the applications not only the camera application, in general to keep your operating system and applications up to date is always a good idea. This is just an example. But these findings are happening all the time with different severities and different applications. So this is just a general rule of thumb that should be followed.
LO: Great. And Erez one final question. Was there anything else that stuck out to you in terms of this research or any takeaways or anything else you want to make clear as a final point?
EY: Well, many people asked me what is the difference between this research and many other researches and others said, “Well, we all know that Google and Facebook and Apple are recording and looking at us all the time.” So I think it’s important to say that the the potential victims here were in the hundreds of millions around the globe. And I don’t think all of these people really knew that this breach may take place at anytime. The privacy issue where people say that they know they’re being recorded, and all the time…We know that sometimes we feel that our privacy are in the hands of big actors like Google and Apple, but this time even simple hackers, if they could have gotten this exploit, would be controlling your privacy and pictures and location and video, so this is a bit different than what people would consider the usual lack of privacy when holding a phone.
LO: Right. It seems much more specific and lucrative for cyber criminals for sure. Erez, thank you so much for coming onto the Threatpost podcast today.
EY: Sure. My pleasure.
LO: And once more this is Lindsey O’Donnell Welch with Threatpost joined with Erez Yalon with Checkmarx. Catch us next week on the Threatpost podcast.
Also, check out our podcast microsite, where we go beyond the headlines on the latest news.