A vulnerability in the Google Camera Application left millions of Google and Samsung smartphones open to being potentially abused potentially letting a malicious actor to take photos, download images and video and listen in to phone calls.

The flaw, CVE-2019-2234, is a permission bypass issue that enables real-time access to a phone through the camera application, according to a report by the Checkmarx Security Research Team. Takeover of the phone begins with the victim downloading a malicious app that requests storage access permission and that once downloaded creates a persistent connection to a command and control server that cannot be severed even if the app is closed, the screen is off or the phone locked.

The Checkmarx team tested its theories on a Google Pixel 2 and 3 model phones and Samsung later confirmed some of its devices that used the app were also susceptible to the vulnerability.

“We found that certain attack scenarios enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos, to locate the user by taking a photo or video and parsing the proper EXIF data,” the team said.

Google and Samsung each confirmed the issue exists and Google has issued a patch to rectify the problem.

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners,” a Google representative said.

Craig Young, computer security researcher for VERT, was surprised Google allowed such a flaw to pass through its own quality and control efforts.

“One of the most important aspects of Android app security is to lock down exported activities. Within Android, Intents serve as the glue for cross-application interaction at runtime allowing, for example, one app to invoke an activity from another. Poorly designed activities can be leveraged by malicious apps to perform actions or access data that would normally incur a permissions request,” Young said.

Prior to the patch being pushed an attacker working the command and control server could see what devices are connected to the phone and take these actions:

  • Take a photo on the victim’s phone and upload (retrieve) it to the C&C server.
  • Record a video on the victim’s phone and upload (retrieve) it to the C&C server.
  • Parse all of the latest photos for GPS tags and locate the phone on a global map.
  • Operate in stealth mode whereby the phone is silenced while taking photos and recording videos.
  • Wait for a voice call and automatically record video from the victim’s side and audio from both sides of the conversation.