Some standard commands in many Android smartphones allow apps to run and control the camera without asking for user permission, found by the researchers in the field of information security from the company Checkmarx. The company reported this to Google and Samsung a few months ago, so these manufacturers have already managed to fix the vulnerability.
Android applications can request the system to access certain functions through standard APIs, and for some functions the system asks the user to provide access to the application. For example, if an application requests access to a camera or cellular features, the system first asks for permission from the owner.
In addition to the permission system, Android also has a subsystem for communicating applications among themselves. For example, some applications indicate the coordinates of a place on the map as a link, by clicking on which the user enters the standard map application. Behind this process is an action request through an Intent object. At the same time, the indications of actions may be implicit, and in this case, the system itself selects the applications that are suitable for the request, and are explicit with an indication of the specific application and action.
Researchers at Checkmarx found that standard camera apps on Google and Samsung smartphones allow third-party apps to take photos or videos, regardless of whether the app has permission to access the camera. After the application has sent such a request, the camera application is launched. You can use a set of commands to take photos or videos, as well as set a shooting timer or choose which camera to use.
This vulnerability itself is hardly useful, but researchers note that attackers can use it along with other system capabilities. For example, many apps in Google Play request access to the store, and users are used to giving them without thinking about why the program has such access. With this permission, the malicious app can send the photos taken to their server, and if the user has a location recording in the camera settings time to take a picture, so it can track a person’s location.
In addition, the researchers showed that the operation of a malicious application can be hidden if it monitors the state of the proximity sensor and starts shooting only when the smartphone is attached to the ear during a conversation or lies on a table on the screen.
Researchers sent information about the vulnerability to Google’s Android security team in early July, after which Google and Samsung corrected the vulnerabilities and allowed the information to be disclosed in November. However, Google also said that it notified other companies, so it is likely that the vulnerability affected smartphones of other manufacturers.
Recently, Google discovered sites that have exploited unknown critical vulnerabilities in iOS for at least two years. After a user accessed the site through a browser, a malicious application was installed on his smartphone, gaining superuser rights and transmitting passwords, photos and other confidential information to attackers.