No stranger to security loopholes, Android designers worked hard to bar apps from accessing cameras and mics, unless users give explicit permission by ticking corresponding boxes in the operating system’s properties. But a bombshell report by cybersecurity firm Checkmarx showed how trivial it is to bypass those restrictions.
A “rogue application” found not only on Google’s Pixel smartphones, but also on devices from Samsung and other manufacturers, needed no permissions at all to have the camera take pictures and record videos as well as audio records.
Even worse, a hacker could silence the camera shutter to make recording unnoticeable. Hijacking a device was also possible if the phone is locked or the screen is turned off.
The app allowed attackers to remotely upload stolen images and footage to their own servers, requiring the frequently-given permission to access storage.
Disturbingly enough, the flaw, discovered in July but reported this Wednesday, enabled to hijack a phone’s proximity sensor which activates when the device is held up to a user’s ear or lies face down.
Checkmarx have demonstrated a bogus attack in a video it uploaded to YouTube.
It said that Google fixed eavesdropping weakness by releasing a security patch later in the month; Samsung followed suit, although it wasn’t clear when.
Android’s major rival, Apple’s iOS, isn’t free of malicious bugs either. Several days ago, iPhone users began complaining about the Facebook app that turns the camera on without their permission.
Aside from that, Facebook, which owns WhatsApp messenger, warned earlier in November that a system vulnerability allows hackers to send “a specially crafted MP4 file” to its Android and iOS users.
The bug appears to be similar to the one found out this spring, which was used by hackers to infect devices with malware, disguised as ordinary calls.
It has since been dealt with, but the cyberattacks caused controversy in India because over 20 local lawyers, journalists and human rights campaigners were among the 1,400 users affected by the hacks worldwide.