Google and Samsung on Tuesday disclosed several security vulnerabilities to their phones, allowing attackers to bypass a phone user’s security protections.
The security vulnerabilities could allow a hacker to access the Google Camera app on the Google Pixel 2XL and Pixel 3 smartphones. According to Forbes, the vulnerabilities were uncovered by the Checkmarx security research team.
Checkmarx uncovered several exploits, including the ability to remotely control the smartphone camera applications, take pictures, record video and use the video recording to eavesdrop on a user’s phone conversations. Hackers could also use exploits to remotely gather a user’s GPS location data.
The Checkmarx findings suggest these vulnerabilities could be exploited in the background of a user’s phone without them knowing anything is wrong.
The Android Open Source Project (AOSP) has set restrictions barring applications from using camera, microphone and location recording tools without first accepting a user’s permission. Checkmarx was able to bypass those security measures by using the Google Camera app and exploiting a common permission feature which requests storage permission.
“A malicious app running on an Android smartphone that can read the SD card not only has access to past photos and videos, but with this new attack methodology, can be directed to take new photos and videos at will,” Erez Yalon, the director of security research at Checkmarx told Forbes.
Yalon said the same exploits could be used against Samsung’s phone application.
Google and Samsung have reportedly fixed the vulnerabilities to their phone devices, though they may have been warned about the security risks for some time. Checkmarx reportedly submitted a vulnerability report on July 4, but the notice allegedly only received moderate concern until July 23 when the risk assessment was raised to a higher priority. On August 18, multiple Android vendors were contacted, and by August 29 Samsung confirmed the vulnerabilities.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” A Google spokesperson said in response to requests for comment from Forbes. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
The full disclosure of the vulnerabilities may have been delayed until both Google and Samsung could confirm they had fixed the security vulnerabilities. Phone users are advised to make sure their devices are up to date with the latest version of the Android operating system.
Ian Thornton-Trump, a cybersecurity expert and faculty member of the Computing Technology Industry Association (CompTIA) expressed his shock at the news of the vulnerabilities and expressed concerns of a greater risk.
“It did not sound like a vulnerability, it sounded more like an Advanced Persistent Threat (APT) actor with fully-featured spyware,” Thornton-Trump told Forbes reporters.
He suggested Google take a deeper look to ensure there are not other cybersecurity risks hiding in the Android operating system.