Android Camera app bug lets malicious apps secretly record video and steal data

An Android operating system vulnerability has been disclosed that affects its built-in camera app. While Google fixed the issue for the Pixel phones back in July, the patches are still rolling out to smartphones in the broader Android ecosystem. The flaw was uncovered by the cybersecurity firm Checkmarx in July, and its findings were first published by Ars Technica this week. Researchers found that the vulnerability allowed a third-party application to request “storage permissions” from an Android phone user, which in turn gave it access to the camera, record video, and access geolocation data embedded in stored photos. Typically, an app requires access to specific permissions for this information. However, the vulnerability allowed access to all these functions with just storage permission. [caption id=“attachment_7631971” align=“alignnone” width=“1024”]  Representational image.[/caption] This, in turn, allowed hackers to use the vulnerability to record video and audio from affected devices and upload them to external servers without the knowledge of the user. “Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card. There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it’s one of the most common requested permissions observed,” researchers at Checkmarx noted. Google told Business Insider in a statement, “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.” Samsung also says that it has patched the issue in its smartphones. It is recommended that all Android users keep their smartphones updated to the latest version of the software.