A new vulnerability has been found in the Camera apps for millions, if not hundreds of millions, of Android devices that could allow other apps to record video, take pictures, and extract GPS data from media without having the required permissions.
Commenting on the discovery are the following security professionals:
This is the worst-case scenario for many people, myself included. The thoughts of somebody being able to record every moment of my life via an exploit on my smartphone really instills the \”tinfoil hat\” mentality. This exploit seems to be limited but none the less it is part of the way there.
There is no silver bullet for mitigating such a vulnerability other than dropping your phone down a well. For folks who do not want to follow that route, there are a few simple rules of thumb that can help with having a cleaner phone:
Only download applications from the official app stores. Downloading and installing applications from third-parties is not advisable, and even when installing from the official app stores you should be diligent on what permissions an application has.
Be vigilant with your applications, these should be routinely reviewed and updated based on your usage.
Be careful with which permissions you are granting applications. A flashlight application should not need access to your contacts or the ability to send SMS.
Make sure applications are updated. Always keeping your devices up to date and using the latest safe versions is the most robust strategy for ensuring that any adware/spyware which may have been accidentally introduced gets removed.
Mobile phones are a part of most people\’s lives, so they therefore make attractive targets for criminals. It is why it\’s important that phone manufacturers invest heavily in security not just for the device itself, but also when it comes to allowing apps.
However, this camera vulnerability is particularly bad, and users should apply patches as soon as they are made available. it is fortunate that this vulnerability was disclosed by the good guys.
All Android users should make sure they\’re running the latest version of Android and their camera app in order to prevent this vulnerability. I would be interested to know how long this vulnerability existed in Android. The real question is whether anyone else figured it out before Checkmarx alerted Google. The longer such a vulnerability exists in the wild, the more likely that someone has found and exploited it. Access to internal storage is the most common Android permission requested by apps on Google Play. Those apps could all have pulled off this attack to steal existing photos stored on users\’ phones, take new photos, listen in on conversations while recording video, and get location data from stored photos. That\’s a huge privacy and security risk for most Android users. If you\’ve ever taken photos on your Android phone that you\’d prefer to keep private, be they important documents or lewd photos, then this vulnerability is a big concern.