Google has discovered a bug in Android that allows hackers and 3rd party Apps to hijack your camera, take pictures and record footage secretly even when the phone is locked, or the screen is off. The bug can be used in malicious ways to spy on users.
Google Camera Bug: Gives Camera Access to 3rd Party Apps
The bug found by Checkmarx researchers was triggered by issues of bypassing permission in the Google Camera software. The problem (submitted under CVE-2019-2234) limited Pixel phones, but it spread further to Samsung devices and other manufacturers.
Therefore, a malicious app could be created that would not have the permission of Camera, but could still operate those camera functions by routing them through these camera apps and taking advantage of their unprotected purpose and export activity.
Checkmarx developed a dummy weather application as a proof-of-concept that did not have the Camera permit. Still, it came with a single authorisation for Storage, one that did not appear out of order for a weather app. Without permission from the user, Google User and Samsung Camera could be activated by the weather app to take photos and record videos. When accessing this, the Storage permission comes into play, as well as all other images and videos stored at/DCIM — it is not mandatory for clicking photos and capturing videos actions.
Google has acknowledged the issue since then, thanking the researchers for their work. Google has said, “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure”.
Google has also said that an app update patched the bug in the Google Camera app in July 2019, and the same has also been addressed in the Samsung Camera app, although when this update is rolled out, there is no specific information.