Google has revealed a now-fixed problem that allowed third-party Apps to access a troubling set of permissions because of its Camera App built into Android smartphones.
Technologist have revealed a high-severity problem that may allow attackers to ditch the Google Camera App, the built-in smartphone camera for Android phones.
The problem was fixed for Google-manufactured mobiles in July but Google said places continue rolling out to smartphones at the wider Android ecosystem, such as to Samsung mobiles.
Researchers discovered that when a third party App asks “storage permissions” from a Android mobile user, it can get into the camera, capture video and accessibility geolocation data embedded in saved photographs.
“Regrettably storage permissions are extremely wide and these permissions provide access to the whole SD card,” explained Checkmarx researchers, that found the defect, at a Tuesday analysis. “You will find a high number of Apps, with valid use-cases, that request access for the storage, yet don’t have any special interest in videos or photos. But In reality it’s among the most frequent requested permissions observed.”
An attacker would have to do in order to exploit this can be to create an App and force victims into downloading it. Researchers for their role produced a proof of concept (PoC) App, a weather App, which only asked the simple storage permissions from android phone users.
The App was subsequently able to take photos and record videos to the sufferer’s phone (even when the phone was locked and the display is switched off), accessibility stored videos and photographs, and also the GPS metadata embedded in saved photographs (to possibly find the user).
While investigators verified that Google Pixel and Samsung tablets are affected, they stated that the problem affects the wider Android ecosystem, “presenting substantial consequences to countless millions of smartphone users”.
On Aug 18, several sellers were contacted concerning the defect, and on Aug 29, Samsung verified that its android phones were updated.
The problem was solved through a update provided in Google Playstore, just update the Google Camera App and issue will be solved.
Samsung didn’t respond to a request for comment in Threatpost.