It became known how to track people through a smartphone camera
Cybersecurity experts from Checkmarx have published a report on the vulnerability they found in the Android operating system, according to the company’s blog.
It requires a certain sequence of actions and internal system calls. All the attacker has to do after that is to download the resulting videos and photos. This allows the app without access to the camera to perform a full-fledged capture of the video, sound, images of the smartphone’s surroundings and track the location.
To test their theory, Checkmarx created a “weather” app and demonstrated how it works. The program performs all of its basic functions.
But right after the first launch, it establishes a background secure connection to the attacker’s remote server and starts waiting for a command. It continues to work even after the application is closed. There are two modes of operation – the normal mode, in which the smartphone camera opens on the screen, and the stealth mode, in which the camera will only turn on if the smartphone is lying “face down”.
The experiment from Google’s Pixel 2XL smartphone running the latest version of Android 9 resulted in geo-data from all photos, as well as real-time photos and videos.
Cybersecurity experts also demonstrated a very real-life version of espionage, where a person is talking on the phone next to a projector that displays confidential data. During the conversation smartphone records video, and after that an intruder safely saves the prepared file to himself.
Information about the vulnerability was provided to Google on July 4. A few days later, it received a high priority, and in August it was registered under the code CVE-2019-2234. Before the end of the month, Checkmarx contacted leading smartphone manufacturers, of which Samsung confirmed that its devices were vulnerable to the vulnerability.