Shocking! Selfie camera on your smartphone can be used to spy on you! It can take photos, videos without permission too
According to Erez Yalon and Pedro Umbelino, security researchers at cyber security firm Checkmarx, vulnerabilities impact the camera apps of smartphone vendors like Google Pixel and some Samsung devices, putting privacy of millions of smartphone users at risk. Both Google and Samsung have issued a security patch for the vulnerabilities.
Your darkest fears have just come true! Security researchers have found that the selfie camera in your smartphone can easily spy on you. According to Erez Yalon and Pedro Umbelino, security researchers at cyber security firm Checkmarx, vulnerabilities impact the camera apps of smartphone vendors like Google Pixel and some Samsung devices, putting privacy of millions of smartphone users at risk. Both Google and Samsung have issued a security patch for the vulnerabilities.
"Having a Google Pixel 2 XL and Pixel 3 on-hand, our team began researching the Google Camera app, ultimately finding multiple concerning vulnerabilities stemming from permission bypass issues," said Yalon. After further research, the team found that similar vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem like Samsung.
The team said that a detailed analysis helped them find out that an attacker can control the app by manipulating specific actions and intents. It can then take photos and/or record videos through a rogue application that has no permission to do so. They have also found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, "as well as GPS metadata embedded in photos, to locate the user by taking a photo or video".
WATCH Zee Business TV LIVE Streaming Online -
Several Android smartphone users give storage permission as they are using a microSD card. This too puts the data at risk.
"Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card. There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos," said the researchers. It means that a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken.
Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user.
"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners," the company said.
Samsung has also provided patches to fix the vulnerability, said the researchers.