Android Camera Hijack Hack Disclosed by Google
Android permission Vulnerability
Recently, a very high impact vulnerability of android has come to light. Security researchers have found a vulnerability in android due to which the in-built camera application can be accessed by the attacker. The attacker can gain access to the camera and further can click pictures record videos, even if the phone is locked and screen turned off.
Whenever a third party application requests for storage permissions, three permissions are given simultaneously i.e. to access camera and record video and is able to access geolocation of the phone along with storage permission. Ideally, specific permissions should be given on specific requests like for example: - If we want to open camera then android.permission.CAMERA should be granted, or to access current location android.permission.ACCESS_COARSE LOCATION and should ideally be granted. But a bundle of permissions was being granted to the applications without the knowledge of the android users.
Testing of Vulnerability and Affected devices
An application (Weather Application) was made to test this vulnerability by the researchers. Pixel 2 XL and Pixel 3 were used and much to the surprise of the researchers they were not only able to control camera and record photos and videos but also were able to get GPS data from just the storage permission bundle. Once the connection is established even closing the application would not break the connection. The most dangerous part is the fact that shutter sound of the camera can be disabled and also recording can be done without anyone noticing. Samsung devices are also vulnerable to this flaw and so are most of the android devices according to an estimate of more than 100 million users will be affected.
Google has addressed this issue and has fixed the issue for Google manufactured phones like Pixel 2,3 but patches for this vulnerability are still being rolled out to the other device manufacturers like Samsung etc. The users can protect themselves from this vulnerability by updating the android software to latest security patches and also by regularly updating the camera application.