- The security flaw lets apps record videos, audio and click photos without permission.
- Google and Samsung have fixed the security flaw, but other companies could still be vulnerable.
- Hundreds of millions of users could be affected due to this
Android camera spying flaw.
According to findings of security research firm Checkmarx, it is trivial to bypass Google’s restrictions on accessing cameras and microphones.
‘Hundreds of millions’ of users could be vulnerable
While Google fixed the security hole in July with an update to its camera app, it indicated that Android smartphones made by other companies could still be vulnerable. Samsung joined Google in rolling out a fix, but it is not clear exactly when that happened.
While Samsung ships millions of smartphones, companies like Xiaomi, Oppo, Vivo, OnePlus and others make up the rest of the Android ecosystem with millions of shipments every month. Google’s Pixel line-up is still miniscule when it comes to shipments in the Android ecosystem.
Apps can record video, audio and click photos without permission
The Android camera spying flaw allows apps to record videos, audio and click photos without the camera permission. All they need is access to the device’s storage, and once that is granted, they can access the camera without user intervention. In cases where the user is away from the phone, the app could essentially get photos and videos without the user noticing it.
The clicked videos and photos would then be saved to the internal storage while still being hidden from the user. Since all Android apps and games are allowed to use the internet without permissions, they could then upload the saved photos and videos to their server in the background.
Furthermore, apps can also determine the GPS location of the user thanks to the geolocation data saved in the photos and videos.
Your calls can be recorded, too
The camera spying vulnerability reportedly affects calls as well. According to Checkmarx, malicious apps can access the proximity sensor and identify when it is placed near the ear. The app could then record both sides of the call and click photos while it is doing so.
Popping up cameras
Users who have smartphones with pop-up cameras are more likely to notice this security flaw. When a malicious app or website tries to access the camera, the camera will pop-up automatically, making it evident to the user that something fishy is going on with the phone.
Google and Samsung issue statements
Google issued a statement in this regard, saying, “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Samsung, too, issued a statement: “Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly.”
Here’s a video that demonstrates how the Android camera flaw works.