Duct-tape or ditch it: Google patches major camera / call-recording exploits; some Androids still affected?


posted Wednesday, November 20, 2019 at 3:24 PM EST


If you're an Android user, you need to read this article carefully and consider taking action, because there's a fair chance that hackers could be watching what your smartphone's cameras are seeing, and listening in on your private phone calls as well. This shocking news was revealed yesterday by security firm Checkmarx, after it discovered some major flaws in Google's camera app for Android devices, as well as that from Samsung. Both Checkmarx and Google leave open the possibility that similar flaws could be lurking -- potentially undiscovered and unpatched but ripe for exploitation by hackers -- in Android devices from other manufacturers as well.

With nothing more than storage access, cameras and call audio are up for grabs

Checkmarx, which discovered and reported flaws in the Google Camera and Samsung Camera apps over the summer, but held off on publicly disclosing them to give both manufacturers time to create and distribute fixes, says that it was able to create a proof-of-concept application which proved just how dangerous they could be. Its own app needed to request only a single permission from the user granting it access to the device's storage, something which most Android users would likely grant without a second's thought.

Once that permission was given, though, the proof-of-concept app was able to record both still images and video from the device's onboard cameras, ascertain the phone's current and historic location via GPS information stored in the headers of images, and monitor the proximity sensor to determine when a call was being made. Perhaps most shockingly of all, the app could even record both incoming and outgoing audio during phone calls. And all of this could happen silently in the background, operating even when the phone is locked, with users left completely unaware that their information was being stolen and uploaded to the hacker's servers after being tricked into downloading a seemingly-unrelated app from the Play store or elsewhere.


Google and Samsung have offered fixes, so update immediately

Both Google and Samsung have now patched their apps to prevent these exploits in current versions, but that will only be of help to users of those specific brands' devices who've actually kept their apps up to date. And as noted in the lede of this article, the possibility remains that similar flaws could exist in the camera apps of other manufacturers, just waiting to be discovered and abused by hackers who've now been given a heads-up of just where they should be looking. The potential for abuse, then, is significant.

So what can you do? With tongue somewhat in cheek, we've suggested duct tape in the headline, but truth be told this won't protect you since hackers could still be listening in on your phone calls, and potentially gaining the personal information needed to convincingly spoof a phone call from your bank or some other entity, leaving you at risk of major harm. If your phone ships with Google or Samsung's camera apps, the fix is pretty simple: Confirm you have updated to the most recent version immediately, and ensure that automatic updates are left switched on in the future.

Android phones from other brands may still be affected, and the hackers know this

For users of Android phones from other brands, however, there isn't such a simple answer. In its statement about the exploit, Checkmarx states that "Google informed our research team that the impact was much greater [than just its own Pixel series of phones] and extended into the broader Android ecosystem", and also notes that "Multiple vendors were contacted regarding the vulnerabilities". What it doesn't say, though, is whether any third-party vendor other than Samsung has responded, taken action, or shown itself to be unaffected.

Obviously, the first thing you should do is, again, to ensure your camera app is updated and can continue to update itself automatically, But until each specific manufacturer weighs in with either a fix or a clear statement that their phones have been tested and shown to be unaffected, you simply have no way to know whether or not they're safe to use. Since the camera app is installed on the phone by the manufacturer, you can't typically just disable or uninstall it to ensure your safety. And while taping over the cameras will at least close off one potential avenue of attack, there's no way to prevent call recording without also preventing your own ability to make and receive calls.

Switching to an unaffected phone may be the only answer for now

So for now, the only answer for brands beyond Samsung and Google, it would seem, is to contact the manufacturer and express your concerns, or consider switching to a new phone -- either from Google or Samsung, or to a non-Android device altogether. Given the severity of this problem -- coupled with the fact that Google has failed to coordinate with its Android partners to provide a clear answer in the nearly four months it has had to do so, we'd imagine more than a few users will be choosing the latter option.

More information on this exploit and how it works can be found in the article published by Checkmarx.