CVE-2019-2234 vulnerabilities in Android Camera Apps

Cybersecurity experts from Checkmarx discovered multiple vulnerabilities in the Camera apps affecting millions, if not hundreds of millions, of Android devices that could allow other apps to record video, take pictures, and extract GPS data from media without having the required permissions.

Overview

The vulnerabilities are collectively tracked as CVE-2019-2234.

After analyzing the Google Pixel’s Camera app, Checkmarx researchers discovered numerous intents that could be combined to manipulate the device’s camera in order to take pictures and record video through a rogue application that has no permissions to do so.

In other words, the apps that have the ‘Storage’ permission, which gives the app access to the device’s entire SD card and the media stored on it, also gives an app the ability to use the Camera app’s exposed intents without the permissions android.permission.CAMERA, android.permission.RECORD_AUDIO, android.permission.ACCESS_FINE_LOCATION, and android.permission.ACCESS_COARSE_LOCATION .

The researchers also determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off.

Severity: High

Affected systems

This vulnerability, known as CVE-2019-2234, is known to affect the Google Camera and Samsung Camera apps if they have not been updated since before July 2019.

Impact

Attackers could exploit them to conduct several activities, including recording videos, taking photos, recording voice calls, tracking the user’s location.

PoC of the attack

The experts developed a PoC weather application, without specific permissions, that established a persistent connection with the attacker’s command-and-control (C&C) server that was able to siphon any kind of data from the target phone, even when the rogue app was closed.

The operator of the C&C console can see which devices are connected to it, and perform the following actions (among others):

Take a photo on the victim’s phone and upload (retrieve) it to the C&C server
Record a video on the victim’s phone and upload (retrieve) it to the C&C server
Parse all of the latest photos for GPS tags and locate the phone on a global map
Operate in stealth mode whereby the phone is silenced while taking photos and recording videos
Wait for a voice call and automatically record:
- Video from the victim’s side
- Audio from both sides of the conversation

Patch and resolution

According to Google, this vulnerability in the Camera app was fixed in July 2019 via a Google Play Store update and a patch was issued to other vendors.

Samsung also confirmed to have addressed the issue.

Recommendations

All users are strongly advised to upgrade to the latest version of Android and make sure you are using the latest Camera app for your device.

References