Google and Android smartphone vulnerability lets attacker remotely control cameras

Forbes reported that the security research team at Checkmarx has discovered vulnerabilities affecting Google and Samsung smartphones, with the potential to impact hundreds of millions of Android users, the biggest to date. Researchers discovered a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser.

In response, Craig Young, senior security researcher at Tripwire, stated:

One of the most important aspects of Android app security is to lock down exported activities. Within Android, Intents serve as the glue for cross-application interaction at runtime allowing, for example, one app to invoke an activity from another. Poorly designed activities can be leveraged by malicious apps to perform actions or access data that would normally incur a permissions request.

In this case, Google left an open activity for triggering the CameraActivity specifying that it should take a picture or record a video. A malicious app with storage permission could trigger the activity and then access the resulting media files from the phone’s internal storage. It is frankly quite shocking that Google would make such a mistake in their own camera app.

In the long-term, I think AOSP needs to seriously consider finer grained access controls between apps. Something like a firewall for Intent messages so that users have some control over which other apps a given app can interact with.