Android Camera Flaw Discovered That Lets Attackers Record Videos, Take Photos, GPS Data Without Permission: Checkmarx

Google and Samsung have fixed the camera apps on their Android devices, but some other smartphone makers might haven't yet patched their offerings.

Advertisement
By Jagmeet Singh | Updated: 20 November 2019 15:37 IST
Highlights
  • Checkmarx researchers notified Google about the flaw
  • Google raised the severity of the finding to "High" on July 23
  • Samsung on August 29 confirmed that its camera app also affected

Attackers could utilise the flaw to control the camera of your Android smartphone

An Android camera flaw has been reported that could allow attackers to take pictures, record videos, or extract GPS data without requiring any explicit permissions from users. The loophole, which was spotted on the Google Camera app available on Pixel devices and the Samsung Camera app that comes preloaded on Galaxy devices, can be executed remotely using a malicious app. It is known to be available on the Google Camera and Samsung Camera apps until July 2019 and is listed as CVE-2019-2234.

The vulnerability has been discovered by a team of security researchers at Checkmarx. The researchers found that while an app generally requires to obtain certain permissions to record videos, take pictures, and access GPS metadata, apps that have the default 'Storage' permission to use the device's SD card and its media content can exploit the Camera app to gain access to capture photos, videos, or obtain EXIF data and geolocation details. The flaw was noticed after analysing the Google camera app. However, it is also said to have existed in the Samsung Camera app.

Advertisement

"[O]ur researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off. Our researchers could do the same even when a user was is in the middle of a voice call," Checkmarx researchers noted in a blog post.

There are a large number of apps on Google Play that ask for the Storage permission. Thus, the scope of the Android camera flaw appears to be quite wide.

Advertisement

Checkmarx researchers created a proof-of-concept app that works as a weather app but silently transmits a picture, video, and phone call recordings to a command-and-control server. The team after confirming the issue through the proof-of-concept app notified Google of its findings on July 4. The search giant had raised the severity of the finding to "High" on July 23 and noted that it may affect other Android smartphone vendors. Google also issued CVE-2019-2234 to help smartphone vendors fix the flaw on their Android devices.

"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners," Google said in a statement.

Advertisement

Checkmarx researchers said Samsung on August 29 also confirmed that the flaw had affected their camera app. The South Korean company -- just like Google - however, has fixed the issue.

That being said, it is still unclear whether other Android vendors have followed in the footsteps of Google and Samsung and fixed the vulnerability on their devices. It is recommended to have the latest software updates along with the most recent app versions to avoid uncertainties.

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Motorola Edge 70 Max to Launch in India On This Day
  2. Call of Duty: Black Ops and Black Ops 2 Ports Released on PS4 and PS5
  3. HMD Arc 2 Introduced With Upgraded Chip and 5,000mAh Battery: See Price
  4. Sony IER-M500 In-Ear Monitors Launched With 5mm Driver, Hi-Res Audio
  5. OTT Releases This Week: Peddi, Ikka, Balti, Dose, The Westies, and More
  6. Netflix for Free? Here's How to Check If You're Eligible for a Free Trial
  1. Interpol Traces $122 Million Crypto Wallet Connected to Romance Scam Network
  2. Hong Kong's Securities and Futures Commission Tightens Anti-Phishing Standards for Crypto Platforms
  3. Itel Zeno 100 Pro India Launch Date Announced as Company Teases Zeno 100 Lite Arrival, Key Features
  4. Sony RX10 V Compact Camera Launched With 20.1-Megapixel Sensor, 4K 120fps Video Recording and 25x Optical Zoom
  5. Motorola Edge 70 Max India Launch Date Announced; Design, Key Features Revealed
  6. Asus Vivobook 14, Vivobook 15 Refreshed With Intel Core Series 3 Processors: Price, Availability
  7. Call of Duty: Black Ops and Black Ops 2 Ports Released on PS4 and PS5
  8. Samsung Galaxy Z Fold 8, Z Fold 8 Ultra Prices Surface Ahead of Unpacked Launch Event
  9. Bitcoin Holds Above $63,800 as Lower Oil Prices Lift Crypto Market Sentiment
  10. Apple's iPhone Ultra Tipped to Feature Near Crease-Free Foldable Display Using Novel Hinge Technology
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.