The camera apps of Google and Samsung phones have been exposed to serious security flaws that could be used by hackers to spy on hundreds of millions of users. Through the vulnerability, hackers can use the victim's phone to take pictures, record videos, record voice calls, and even track the user's location. Is the phone still safe? Come to Xinzhiyuan AI circle of friends to discuss with AI celebrities. You may be being watched all the time without knowing who is watching.
Cameras have been upgraded from an add-on to a phone to a way of documenting life. Facing the golden ginkgo forest, the first snow on the branches, and the hot pot gathering with friends, we all take out our mobile phones, turn on the camera to take pictures or record vlogs, which have become the channels for us to watch, record and express the world.
But if your phone camera was turned on to monitor your life without you even noticing, this might be the modern-day Truman World.
Now this if, there is a little possibility of becoming a reality. According to media reports, Checkmarx's security research team has discovered a vulnerability in Android phones. Attackers can bypass Android permissions by accessing the phone's storage space, and can remotely control the phone to take photos and record remotely without the user's consent. Video, monitor conversations.
Does the research team say there are loopholes when there are loopholes? Is it alarmist? First, let's take a look at what's behind Checkmarx's security research team.
Checkmarx is an Israeli high-tech software company and the producer of Checkmarx CxSuite, the world's most famous source code security scanning software. Checkmarx was nominated as a Leader in the 2019 Gartner Magic Quadrant for Application Security Testing, won Cyber Defense Magazine's 2019 Infosec Award in the Market Leader category in Application Security, and won the Application Security Solution of the Year award.
Its security research team's cutting-edge software vulnerability research on Amazon's Alexa, Tinder, LeapFrog LeapPad and other products has been reported by well-known media such as "Good Morning America", "Consumer Reports" and "Fortune", attracting industry attention.
This time, Checkmarx's security research team discovered several vulnerabilities in the Google Camera app (Google Camera) on the Google Pixel 2XL and Pixel 3 phones due to issues that allow attackers to bypass user permissions. In addition, the Samsung camera also has this vulnerability.
Previously, the research team also disclosed that Amazon's Alexa and Tinder have this problem. Just considering the reach of Google and Samsung phones, these vulnerabilities could affect hundreds of millions of users, or even threaten them.
The vulnerability, dubbed CVE-2019-2234, itself allows a malicious application to remotely obtain input from camera, microphone and GPS location data. The implications of being able to do this are so severe that the Android Open Source Project (AOSP) has a dedicated set of permissions that any app must request and obtain permission from the user before it can enable such operations.
What the researchers at Checkmarx did was create an attack scenario that abused the Google Camera app itself to bypass these permissions. To do this, they created a malicious app that exploits one of the most frequently requested permissions: storage access.
The permission requested by the malicious app is only 'storage access'
"This malicious app running on an Android smartphone can read the SD card," Yalon said. "It can not only access past photos and videos, but also exploit this new can take new photos and videos at will."
Malicious app silently initiates video recording of the phone
Malicious app records calls remotely
How could attackers exploit vulnerabilities in the Google Camera app?
Checkmarx created a proof-of-concept (PoC) exploit by developing a malicious application. This is a weather app that has always been popular in the Google Play Store. Apart from basic storage access permissions, this app does not require any special permissions. The app is unlikely to alarm the user, since only such a simple, ordinary permission needs to be requested. After all, people are used to questioning unnecessary, broad permission requests, not a single, common permission request.
However, this app is far from harmless. It is divided into two parts, a client application that runs on the smartphone and a command and control server that connects to it to execute the attacker's commands.
Once the application is installed and started, it creates a persistent connection to the command and control server and then waits for instructions. Closing the application does not close the server connection.
What commands can an attacker send, and what actions can result? This long list might make you shudder:
The information was released jointly by Google and Samsung in recent days to ensure that both companies have released patches for the vulnerability. The disclosure of the vulnerability, however, began on July 4, when Checkmarx submitted a vulnerability report to Google's Android security team, which began the behind-the-scenes disclosure.
On July 13, Google initially set the severity of the vulnerability to medium, but after further feedback from Checkmarx, the severity was downgraded to "high" on July 23.
On August 1, Google confirmed that the vulnerabilities affected the wider Android ecosystem, with other smartphone makers also affected, and issued CVE-2019-2234.
On August 18, Google contacted multiple vendors; on August 29, Samsung confirmed that the vulnerability affected their devices.
Google responds with patch provided, security expert: 'It's just jaw-dropping'
Google's response: Patch provided to all partners
After being contacted by the media, a spokesperson said: "We are grateful to Checkmarx for alerting us to this vulnerability and working with partners at Google and Android to coordinate the disclosure. Via Google Play Store release in July 2019. An update to the Camera app has resolved the issue on affected Google phones. We have also made the patch available to all partners."
However, disclosure of the vulnerability was delayed until both Google and Samsung released patches, so if you have the latest version of the camera app, be sure to update to the latest version to avoid the threat of an attack.
Also, update to the latest version of the Android operating system, make sure your phone has the latest available security patches, and recommend using the latest version of the camera app for your device to reduce risk.
What security experts have to say about the severity of the vulnerability and how it will affect broader smartphone security.
Thornton-Trump said: "My jaw dropped when I read this report about how vulnerable the camera app is. It doesn't sound like a bug, but more like a high-level version with full-featured spyware. Persistent Threat (APT)."
In fact, Thornton-Trump noticed that if security researchers were black hats, they could easily monetize this research for hundreds of thousands of dollars. "Thanks to the excellent work and integrity of the researchers at Checkmarx, all Android users are now safer," he said.
Thornton-Trump was pleased that Google released a patch soon, but said that because of the severity and breadth of the vulnerability, "it's also time for Google to let some of the capabilities of 'Project Zero' go deep into the Android operating system itself."
"There is no doubt that the high volume of disclosed Android vulnerabilities is damaging the Android brand. The recent 'white screen of death' issue is also not good for the company's reputation. Google needs to do more to ensure users trust the security and confidentiality of Android devices In the meantime, anyone who needs protection should update their systems right away," he said. "If you can't update your device because it's aging or lacking manufacturer support, it's time to get a new device."