Samsung and Google Camera apps vulnerable to hijacking, fix on the way

Earlier this year, Apple was put on the hot seat for a bug in its new Group FaceTime feature that practically allowed anyone to spy on an iPhone or iPad user by simply making and then dropping a covert call. Now it seems that the Android world has something that may be more sinister and more inconspicuous. Thanks to a bug found in Google's, Samsung's, and other OEM's camera apps, an almost inconspicuous app can secretly spy on the owner using their own phone's cameras. And all the malicious app needs is to be granted data storage permissions.

Starting with Android 6.0 Marshmallow, Google's mobile platform employed a more fine-grained permission system that only asked for and granted access to certain hardware capabilities on a case-by-case basis. In other words, apps that had no business accessing cameras or mics would not be able to do so, unless they ask for permission and the user grants for one reason or another. Unfortunately, a bug reported by Checkmarx last July is able to circumvent that using what looks like a legit non-camera app.

Such an app would look harmless both to users and to Google's automated anti-malware systems. The app may not even ask for permissions beyond accessing data storage, perhaps to save settings or files. Unfortunately, the bug would allow them to hijack camera apps, which also use storage permissions to save photos and videos, and are able to remotely and silently control the camera app to take photos or record videos or even use the camera app's GPS access to get the phone's location.

The vulnerability affects camera apps from Google and Samsung. Other Android OEMs may also be affected but only those two have been named. Following the rules of disclosure, the security research group alerted Google about the vulnerability in July, with Samsung acknowledging the bug in August.

Google has rolled out a fix in this month's security updates, which should have already rolled out to Pixel phones. Whether they reach affected devices, including Samsung's, is something only OEMs can answer. Unfortunately, Android's diverse and fragmented ecosystem makes that harder to pin down.