Notebookcheck Logo
, , , , , ,
search relation.
, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

The cameras on "hundreds of millions" of Android phones could have been hijacked

Google Camera could have been used for some extremely shady hacking activities. (Source: XDA)
Google Camera could have been used for some extremely shady hacking activities. (Source: XDA)
The security research group Checkmarx has claimed to have identified a vulnerability that could have allowed hackers to bypass Android permission restrictions to remotely open and control device cameras without their owners' knowledge. This issue, which apparently affected Google and Samsung apps, has reportedly been addressed in recent software updates.

The white-hat firm Checkmarx has recently gone public about a severe potential exploit it allegedly found in the Google and Samsung Camera apps, which are installed on hundreds of millions of phones out there. This issue was apparently related to the common vulnerability known as CVE-2019-2234. It is described as a direct pathway to control of the apps in question in a way that could have allowed a bad actor to open and operate image sensors without the owner's knowledge.

Remote access such as this is normally protected against by a system of user-input-dependent permission controls called for in the Android operating system. However, Checkmarx asserts that CVE-2019-2234 resulted in the ability to bypass these restrictions entirely. The group developed their own app that required nothing more than the 'storage' permission in order to gain control of the camera as they described in order to prove this.

Once this app was on a device, Checkmarx reportedly demonstrated that it was possible for it to set up a connection to a command and control server that persisted even if said app was closed thereafter. This app was then allegedly capable of initializing cameras on the phone in question, then taking photos or videos at will and sending them back to this server. In addition, files already in the device's memory were also liable to be sent to this server.

Furthermore, the group claimed that their app was also capable of controlling device GPS in order to steal a user's location without their knowledge. However, fortunately, this potential doorway to hacking has been closed. Checkmarx reported its findings to Google and Samsung in July 2019, which led to software updates intended to address the CVE in question.

Therefore, its worrying implications should not apply to devices with relatively recent upgrades or security patches. Nevertheless, it may be a valuable cautionary tale with the moral that it is always wise to keep an eye on your device's hardware and what might have access to it.


static version load dynamic
Loading Comments
Comment on this article
Deirdre O'Donnell
Deirdre O'Donnell - Senior Tech Writer - 5116 articles published on Notebookcheck since 2018
I became a professional writer and editor shortly after graduation. My degrees are in biomedical sciences; however, they led to some experience in the biotech area, which convinced me of its potential to revolutionize our health, environment and lives in general. This developed into an all-consuming interest in more aspects of tech over time: I can never write enough on the latest electronics, gadgets and innovations. My other interests include imaging, astronomy, and streaming all the things. Oh, and coffee.
contact me via: LinkedIn
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2019 11 > The cameras on "hundreds of millions" of Android phones could have been hijacked
Deirdre O Donnell, 2019-11-19 (Update: 2019-11-19)