Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
HarryNyquist

Big Oops - Flaw in Android Security Allows Secret Camera & Audio Recording

Recommended Posts

Posted · Original PosterOP

Remember all those people telling you that you're paranoid for saying something about [brand] and suddenly receiving ads for [brand] everywhere?

Well...

https://www.macrumors.com/2019/11/19/android-camera-security-vulnerability/

Quote

A security flaw in Android smartphones ... allowed malicious apps to record video, take photos, and capture audio, uploading the content to a remote server sans user permission. The vulnerability was discovered by security firm Checkmarx, and was highlighted today by Ars Technica. The flaw had the potential to leave high-value targets open to having their surroundings illicitly recorded by their smartphones.

...

To demonstrate how the flaw worked, Checkmarx created a proof-of-concept app that appeared to be a weather app on the surface but was scooping up copious amounts of data in the background. The app was able to take pictures and record videos even when the phone's screen was off or the app was closed, as well as access location data from the photos. It was able to operate in stealth mode, eliminating the camera shutter sound, and it could also record two-way phone conversations. All of the data was able to be uploaded to a remote server.

When the exploit was used, the screen of the smartphone being attacked would display the camera when recording video or taking a photo, which would let affected users know what was going on. It could be used secretly when a smartphone display was out of sight or when a device was placed screen down, and there was a feature for using the proximity sensor to determine when a smartphone was facedown.

...

Google addressed the vulnerability in its Pixel phones through a camera update that was launched back in July, and Samsung has also fixed the vulnerability, though it's not known when. From Google:

"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

From Samsung:

"Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."

According to Checkmarx, Google has said that Android phones from other manufacturers could also be vulnerable, so there may still be some devices out there that are open to attack. Google has not disclosed specific makers and models.

https://arstechnica.com/information-technology/2019/11/google-samsung-fix-android-spying-flaw-other-makers-may-still-be-vulnerable/

Quote

To demonstrate the risk, Checkmarx developed a proof-of-concept rogue app that exploited the weakness. It masqueraded as a simple weather app. Hidden inside were functions that could:

  • Take pictures and record videos, even when the phone was locked, the screen was off, or the app was closed
  • Pull GPS data embedded into any photo or video stored on the phone
  • Eavesdrop and record two-way phone conversations and simultaneously record video or take images
  • Silence the camera shutter to make the spying harder to detect
  • Transfer any photo or video stored on the phone to an attacker-controlled server
  • List and download any JPG image or MP4 video stored on the phone's SD card

An attack wouldn't be completely surreptitious. The screen of an exploited device would display the camera as it recorded video or shot an image. That would tip off anyone who was looking at the handset at the time the attack was being carried out. Still, the attack would be able to capture video, sound, and images at times when a phone display was out of eyesight, such as when the device was placed screen down. The app was able to use the proximity sensor to determine when the device is face down.

Checkmarx's PoC app was also able to use a phone's proximity sensor to detect when it was held to a target's ear, as often happens during phone calls. The app was able to record both sides of the conversation. It could also record video or take images, a useful capability in the event the back of the phone was facing a whiteboard or something else of interest to an attacker. Checkmarx's report includes a video demonstrating the capabilities of the PoC app.

 

This wouldn't really be an issue if all Android devices received regular updates. 🤔

This of course calls into question just how this might be/have been used, and if there are other similar "bugs" in Android (or iOS).

Link to post
Share on other sites
7 minutes ago, RejZoR said:

I don't trust anything made by Google and I don't care how much ppl say how Apple is all the same and how iOS is also the same. It ain't.

Have you considered compiling your own OS on a Pinephone?


PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites

Pretty bad, but do we know what apps (apecifically, or at least what "kind") were abusing this (if any)?  It seems like the kind of thing that would only happen using sketchy no-name apps (we all know the kind... and if you don't you were probably a victim of this lol). 

Link to post
Share on other sites

Interestingly, Google Messages may also leave the camera going when the device is supposedly in sleep. This drains the battery quite quickly.


The pursuit of knowledge for the sake of knowledge.

Forever in search of my reason to exist.

Link to post
Share on other sites
5 minutes ago, Zodiark1593 said:

Interestingly, Google Messages may also leave the camera going when the device is supposedly in sleep. This drains the battery quite quickly.

This sounded odd to me so I checked to see what permissions it even asks for and sure enough it does have the camera.  Obvious question here would be why...

This is a common problem with other apps but I expect better from Google. 

Link to post
Share on other sites
5 minutes ago, Ryan_Vickers said:

This sounded odd to me so I checked to see what permissions it even asks for and sure enough it does have the camera.  Obvious question here would be why...

This is a common problem with other apps but I expect better from Google. 

A fairly recent update allows the app to open the camera when you open the menu for attaching photos. The live feed shows up on the left, while your photo selection is on the right. 

 

The very first day I updated, I put the phone to sleep with the photo menu in Messages still open, and it wakelocked my phone, draining off some 40% within a half hour until I noticed my pocket getting hot. It actually did it again yesterday as well...

 

The live camera bit is the only change I can think of that can bring on the wakelock. Not sure what else Google screwed with there too.


The pursuit of knowledge for the sake of knowledge.

Forever in search of my reason to exist.

Link to post
Share on other sites
6 hours ago, rcmaehl said:

Have you considered compiling your own OS on a Pinephone?

just finished compiling redhat, gonna take it for a spin and use a phone without a GUI


*Insert Witty Signature here*

System Config: https://au.pcpartpicker.com/list/yJ2cQV

5U The Waifu (my new in-progress server): https://linustechtips.com/main/topic/1130931-5u-the-waifu-my-new-server/

 

Link to post
Share on other sites
28 minutes ago, Salv8 (sam) said:

just finished compiling redhat, gonna take it for a spin and use a phone without a GUI

How does typing work again without a graphical keyboard?


The pursuit of knowledge for the sake of knowledge.

Forever in search of my reason to exist.

Link to post
Share on other sites
2 minutes ago, Zodiark1593 said:

How does typing work again without a graphical keyboard?

i plug in a keyboard!

 

it have many button.


*Insert Witty Signature here*

System Config: https://au.pcpartpicker.com/list/yJ2cQV

5U The Waifu (my new in-progress server): https://linustechtips.com/main/topic/1130931-5u-the-waifu-my-new-server/

 

Link to post
Share on other sites
15 hours ago, RejZoR said:

It ain't.

Sure...

 

Absolutely no surprises there, though. Even if we didn't have any confirmation before, I couldn't help but look at my front camera and go "Hmm..." sometimes. Guess I'm not as paranoid as I thought after all.

 

The real question is: should we be sticking pieces of tape over our cameras?


Ballz 3D is the greatest videogame ever made.

--

Space heater PC specs:

CPU: AMD FX-6300 || GPU: PowerColor Red Dragon Radeon RX 550 4GB (640SP) || Motherboard: ASUS M5A78L-M LX/BR || Storage: 2x 500GB HDD || Memory: 8GB DDR3 (2x 4GB 1600MHz) || PSU: CORSAIR VS500 (2017) || Case: TGT Stryker Mid Tower || Keyboard & Mouse: OEX Cobby, Fortrek Spider 2.

 

Link to post
Share on other sites
1 hour ago, Tegos said:

Sure...

 

Absolutely no surprises there, though. Even if we didn't have any confirmation before, I couldn't help but look at my front camera and go "Hmm..." sometimes. Guess I'm not as paranoid as I thought after all.

 

The real question is: should we be sticking pieces of tape over our cameras?

Well to be clear, there is no evidence this vulnerability WAS being exploited by any actual malicious apps.

 

The researchers just found it and made a proof of concept of the hack to show the vulnerability.

 

It is true that it is important to keep your devices up to date. This is one reason I would never own a Samsung smartphone, their software support is so bad... The main reason I own a Google Pixel at the moment.

Link to post
Share on other sites
16 hours ago, RejZoR said:

I don't trust anything made by Google and I don't care how much ppl say how Apple is all the same and how iOS is also the same. It ain't.

While it is true that Apple takes security and privacy very seriously, they are just as prone to having security vulnerabilities in their software than any other manufacturer.

 

There have been numerous security flaws exposed in iOS in the past, including circumventions for unlocking the phone without a passcode or face-id. If you were not aware, you have not been paying attention.

Link to post
Share on other sites
7 minutes ago, maartendc said:

This is one reason I would never own a Samsung smartphone, their software support is so bad

Software support is bad, and the phones themselves are very "meh" for the price they're sold at.


Ballz 3D is the greatest videogame ever made.

--

Space heater PC specs:

CPU: AMD FX-6300 || GPU: PowerColor Red Dragon Radeon RX 550 4GB (640SP) || Motherboard: ASUS M5A78L-M LX/BR || Storage: 2x 500GB HDD || Memory: 8GB DDR3 (2x 4GB 1600MHz) || PSU: CORSAIR VS500 (2017) || Case: TGT Stryker Mid Tower || Keyboard & Mouse: OEX Cobby, Fortrek Spider 2.

 

Link to post
Share on other sites
8 minutes ago, maartendc said:

While it is true that Apple takes security and privacy very seriously, they are just as prone to having security vulnerabilities in their software than any other manufacturer.

 

There have been numerous security flaws exposed in iOS in the past, including circumventions for unlocking the phone without a passcode or face-id. If you were not aware, you have not been paying attention.

Exactly, no OS is absolutely perfect or 100% secure, despite Apple saying so. I don't trust Apple any more than I do Google, although at least Google is more transparent about vulnerabilities in their software. There was also a vulnerability with Facebook using the front camera in iOS when it wasn't supposed to.

I would much rather have no front camera at all, than the dumb notches or camera holes phone manufacturers have been using.

Link to post
Share on other sites
19 minutes ago, maartendc said:

While it is true that Apple takes security and privacy very seriously, they are just as prone to having security vulnerabilities in their software than any other manufacturer.

 

There have been numerous security flaws exposed in iOS in the past, including circumventions for unlocking the phone without a passcode or face-id. If you were not aware, you have not been paying attention.

That's not entirely true.  Remember, Android's support for non-store apps and overall greater permissions make it considerably easier to distribute malware and have it touch more parts of the OS.  Malware is a particularly acute problem in China, Russia and other countries where third-party app stores are more common.  Hell, I've seen Android malware that you can't even remove with a factory reset (you have to flash new firmware), but I have yet to hear of that on iOS.

 

I'll agree that Apple certainly isn't immune, and we shouldn't assume the App Store is a guaranteed shield (there are distribution methods, and of course web exploits).  However, Apple is also much, much better about supporting devices for longer and ensuring that users not only get all security updates, but get them quickly.

 

It still baffles me that Google lets Android OEMs skip security updates.  They're only obligated to deliver four updates per year, and then only for two years (it's not even clear if they need to provide four updates that second year).  That's nuts -- a fast-spreading worm could wreck phones in January and vendors wouldn't need to have a fix for it until March.  And I have a feeling that it'll take an incident like that for Google to do the right thing and require that vendors provide every security update for those two years, if not three.

Link to post
Share on other sites
Posted · Original PosterOP
Just now, Commodus said:

It still baffles me that Google lets Android OEMs skip security updates.  They're only obligated to deliver four updates per year, and then only for two years (it's not even clear if they need to provide four updates that second year).  That's nuts -- a fast-spreading worm could wreck phones in January and vendors wouldn't need to have a fix for it until March.  And I have a feeling that it'll take an incident like that for Google to do the right thing and require that vendors provide every security update for those two years, if not three.

Google: We need to you provide security updates for your devices as soon as we put them out
OEM: But what if -- slides $$$ across table -- we didn't have to do that.

Google: Oh well -- accepts money -- when you put it like that...

Link to post
Share on other sites
17 hours ago, Ryan_Vickers said:

Pretty bad, but do we know what apps (apecifically, or at least what "kind") were abusing this (if any)?  It seems like the kind of thing that would only happen using sketchy no-name apps (we all know the kind... and if you don't you were probably a victim of this lol). 

I would assume that all apps where the primary business strategy behind them is the sale of user data were using this bug.

Or in other words, any app associated with a company that is associated with the "big data revolution". Any app that asks for permissions for which there are not any apparent user features attached. Any app that shows you Advertiser ID based ads.

 

Spoiler

In case you need some evidence that I'm not just wearing my tin foil hat, here's a 26 minute long video of the CTO of the CIA describing with some precision why they are interested in big data, and then admitting that "It is nearly within [their] grasp to compute on all human generated information". In case the time embedding doesn't work, the money shot is at 26:12.
 

 

 


"Ultimately, saying that you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say." ~Verax

Link to post
Share on other sites
17 hours ago, Ryan_Vickers said:

Pretty bad, but do we know what apps (apecifically, or at least what "kind") were abusing this (if any)?  It seems like the kind of thing that would only happen using sketchy no-name apps (we all know the kind... and if you don't you were probably a victim of this lol). 

It's a proof of concept, there's no evidence that it was exploited in the wild.


...is there a question here? 🤔

sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux Sharing folders over the internet using SSH Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×