Sun. Dec 8th, 2019

Security vulnerabilities in Android camera apps affect Google and Samsung

2 min read

Android security flaws allow applications to access people’s cameras for secret video and audio recording. Android smartphones from companies such as Google and Samsung have security vulnerabilities that allow malicious applications to record video, take photos and capture audio, and then upload content to remote servers without the user’s permission. The vulnerability was discovered by security company Checkmarx and highlighted by Ars Technica. The vulnerability has the potential to open high-value targets and make their surroundings illegally recorded by smartphones.

It is reported that with this special vulnerability, the application can capture video and audio using the camera and microphone without the user’s explicit permission. Google solved the vulnerability in its Pixel phone through a camera update released in July. Samsung also fixed the vulnerability, but it is not clear when it will be released. Google said:

“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”

Samsung said:

“Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly.”

According to Checkmarx, Google has said that other manufacturers’ Android phones may also be vulnerable. Google has not disclosed the specific manufacturer and model. At this time, it is still not clear why the application can access the camera without user permission. In an email to Ars Technica, Checkmarx speculated that this may be related to Google’s decision to use the camera with Google Assistant, which other manufacturers may have already implemented.