Big Oops - Flaw in Android Security Allows Secret Camera & Audio Recording

[HarryNyquist]

Remember all those people telling you that you're paranoid for saying something about [brand] and suddenly receiving ads for [brand] everywhere?

Well...

https://www.macrumors.com/2019/11/19/android-camera-security-vulnerability/

Quote

A security flaw in Android smartphones ... allowed malicious apps to record video, take photos, and capture audio, uploading the content to a remote server sans user permission. The vulnerability was discovered by security firm Checkmarx, and was highlighted today by Ars Technica. The flaw had the potential to leave high-value targets open to having their surroundings illicitly recorded by their smartphones.

...

To demonstrate how the flaw worked, Checkmarx created a proof-of-concept app that appeared to be a weather app on the surface but was scooping up copious amounts of data in the background. The app was able to take pictures and record videos even when the phone's screen was off or the app was closed, as well as access location data from the photos. It was able to operate in stealth mode, eliminating the camera shutter sound, and it could also record two-way phone conversations. All of the data was able to be uploaded to a remote server.

When the exploit was used, the screen of the smartphone being attacked would display the camera when recording video or taking a photo, which would let affected users know what was going on. It could be used secretly when a smartphone display was out of sight or when a device was placed screen down, and there was a feature for using the proximity sensor to determine when a smartphone was facedown.

...

Google addressed the vulnerability in its Pixel phones through a camera update that was launched back in July, and Samsung has also fixed the vulnerability, though it's not known when. From Google:

"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

From Samsung:

"Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."

According to Checkmarx, Google has said that Android phones from other manufacturers could also be vulnerable, so there may still be some devices out there that are open to attack. Google has not disclosed specific makers and models.

https://arstechnica.com/information-technology/2019/11/google-samsung-fix-android-spying-flaw-other-makers-may-still-be-vulnerable/

Quote

To demonstrate the risk, Checkmarx developed a proof-of-concept rogue app that exploited the weakness. It masqueraded as a simple weather app. Hidden inside were functions that could:

• Take pictures and record videos, even when the phone was locked, the screen was off, or the app was closed
• Pull GPS data embedded into any photo or video stored on the phone
• Eavesdrop and record two-way phone conversations and simultaneously record video or take images
• Silence the camera shutter to make the spying harder to detect
• Transfer any photo or video stored on the phone to an attacker-controlled server
• List and download any JPG image or MP4 video stored on the phone's SD card

An attack wouldn't be completely surreptitious. The screen of an exploited device would display the camera as it recorded video or shot an image. That would tip off anyone who was looking at the handset at the time the attack was being carried out. Still, the attack would be able to capture video, sound, and images at times when a phone display was out of eyesight, such as when the device was placed screen down. The app was able to use the proximity sensor to determine when the device is face down.

Checkmarx's PoC app was also able to use a phone's proximity sensor to detect when it was held to a target's ear, as often happens during phone calls. The app was able to record both sides of the conversation. It could also record video or take images, a useful capability in the event the back of the phone was facing a whiteboard or something else of interest to an attacker. Checkmarx's report includes a video demonstrating the capabilities of the PoC app.

 

This wouldn't really be an issue if all Android devices received regular updates. 

This of course calls into question just how this might be/have been used, and if there are other similar "bugs" in Android (or iOS).

[Fnige]

we all know who we're looking at

Spoiler

facebook

 

[RejZoR]

I don't trust anything made by Google and I don't care how much ppl say how Apple is all the same and how iOS is also the same. It ain't.

[rcmaehl]

7 minutes ago, RejZoR said:

I don't trust anything made by Google and I don't care how much ppl say how Apple is all the same and how iOS is also the same. It ain't.

Have you considered compiling your own OS on a Pinephone?

[vanished]

Pretty bad, but do we know what apps (apecifically, or at least what "kind") were abusing this (if any)?  It seems like the kind of thing that would only happen using sketchy no-name apps (we all know the kind... and if you don't you were probably a victim of this lol). 

[Zodiark1593]

Interestingly, Google Messages may also leave the camera going when the device is supposedly in sleep. This drains the battery quite quickly.

[vanished]

5 minutes ago, Zodiark1593 said:

Interestingly, Google Messages may also leave the camera going when the device is supposedly in sleep. This drains the battery quite quickly.

This sounded odd to me so I checked to see what permissions it even asks for and sure enough it does have the camera.  Obvious question here would be why...

This is a common problem with other apps but I expect better from Google. 

[Zodiark1593]

5 minutes ago, Ryan_Vickers said:

This sounded odd to me so I checked to see what permissions it even asks for and sure enough it does have the camera.  Obvious question here would be why...

This is a common problem with other apps but I expect better from Google. 

A fairly recent update allows the app to open the camera when you open the menu for attaching photos. The live feed shows up on the left, while your photo selection is on the right. 

 

The very first day I updated, I put the phone to sleep with the photo menu in Messages still open, and it wakelocked my phone, draining off some 40% within a half hour until I noticed my pocket getting hot. It actually did it again yesterday as well...

 

The live camera bit is the only change I can think of that can bring on the wakelock. Not sure what else Google screwed with there too.

[Flying Sausages]

Dam them Fed Boys gonna know I watch hentai in my secret time.

[Founders]

I found the naughty culprit.

 

[Salv8 (sam)]

6 hours ago, rcmaehl said:

Have you considered compiling your own OS on a Pinephone?

just finished compiling redhat, gonna take it for a spin and use a phone without a GUI

[Zodiark1593]

28 minutes ago, Salv8 (sam) said:

just finished compiling redhat, gonna take it for a spin and use a phone without a GUI

How does typing work again without a graphical keyboard?

[Salv8 (sam)]

2 minutes ago, Zodiark1593 said:

How does typing work again without a graphical keyboard?

i plug in a keyboard!

 

it have many button.

[amdorintel]

it was not a flaw!

[Founders]

5 hours ago, amdorintel said:

it was not a flaw!

It’s a feature!

[maartendc]

1 hour ago, Tegos said:

Sure...

 

Absolutely no surprises there, though. Even if we didn't have any confirmation before, I couldn't help but look at my front camera and go "Hmm..." sometimes. Guess I'm not as paranoid as I thought after all.

 

The real question is: should we be sticking pieces of tape over our cameras?

Well to be clear, there is no evidence this vulnerability WAS being exploited by any actual malicious apps.

 

The researchers just found it and made a proof of concept of the hack to show the vulnerability.

 

It is true that it is important to keep your devices up to date. This is one reason I would never own a Samsung smartphone, their software support is so bad... The main reason I own a Google Pixel at the moment.

[maartendc]

16 hours ago, RejZoR said:

I don't trust anything made by Google and I don't care how much ppl say how Apple is all the same and how iOS is also the same. It ain't.

While it is true that Apple takes security and privacy very seriously, they are just as prone to having security vulnerabilities in their software than any other manufacturer.

 

There have been numerous security flaws exposed in iOS in the past, including circumventions for unlocking the phone without a passcode or face-id. If you were not aware, you have not been paying attention.

[Blademaster91]

8 minutes ago, maartendc said:

While it is true that Apple takes security and privacy very seriously, they are just as prone to having security vulnerabilities in their software than any other manufacturer.

 

There have been numerous security flaws exposed in iOS in the past, including circumventions for unlocking the phone without a passcode or face-id. If you were not aware, you have not been paying attention.

Exactly, no OS is absolutely perfect or 100% secure, despite Apple saying so. I don't trust Apple any more than I do Google, although at least Google is more transparent about vulnerabilities in their software. There was also a vulnerability with Facebook using the front camera in iOS when it wasn't supposed to.

I would much rather have no front camera at all, than the dumb notches or camera holes phone manufacturers have been using.

[Commodus]

19 minutes ago, maartendc said:

While it is true that Apple takes security and privacy very seriously, they are just as prone to having security vulnerabilities in their software than any other manufacturer.

 

There have been numerous security flaws exposed in iOS in the past, including circumventions for unlocking the phone without a passcode or face-id. If you were not aware, you have not been paying attention.

That's not entirely true.  Remember, Android's support for non-store apps and overall greater permissions make it considerably easier to distribute malware and have it touch more parts of the OS.  Malware is a particularly acute problem in China, Russia and other countries where third-party app stores are more common.  Hell, I've seen Android malware that you can't even remove with a factory reset (you have to flash new firmware), but I have yet to hear of that on iOS.

 

I'll agree that Apple certainly isn't immune, and we shouldn't assume the App Store is a guaranteed shield (there are distribution methods, and of course web exploits).  However, Apple is also much, much better about supporting devices for longer and ensuring that users not only get all security updates, but get them quickly.

 

It still baffles me that Google lets Android OEMs skip security updates.  They're only obligated to deliver four updates per year, and then only for two years (it's not even clear if they need to provide four updates that second year).  That's nuts -- a fast-spreading worm could wreck phones in January and vendors wouldn't need to have a fix for it until March.  And I have a feeling that it'll take an incident like that for Google to do the right thing and require that vendors provide every security update for those two years, if not three.

[HarryNyquist]

Just now, Commodus said:

It still baffles me that Google lets Android OEMs skip security updates.  They're only obligated to deliver four updates per year, and then only for two years (it's not even clear if they need to provide four updates that second year).  That's nuts -- a fast-spreading worm could wreck phones in January and vendors wouldn't need to have a fix for it until March.  And I have a feeling that it'll take an incident like that for Google to do the right thing and require that vendors provide every security update for those two years, if not three.

Google: We need to you provide security updates for your devices as soon as we put them out
OEM: But what if -- slides $$$ across table -- we didn't have to do that.

Google: Oh well -- accepts money -- when you put it like that...

[straight_stewie]

17 hours ago, Ryan_Vickers said:

Pretty bad, but do we know what apps (apecifically, or at least what "kind") were abusing this (if any)?  It seems like the kind of thing that would only happen using sketchy no-name apps (we all know the kind... and if you don't you were probably a victim of this lol). 

I would assume that all apps where the primary business strategy behind them is the sale of user data were using this bug.

Or in other words, any app associated with a company that is associated with the "big data revolution". Any app that asks for permissions for which there are not any apparent user features attached. Any app that shows you Advertiser ID based ads.

 

Spoiler

In case you need some evidence that I'm not just wearing my tin foil hat, here's a 26 minute long video of the CTO of the CIA describing with some precision why they are interested in big data, and then admitting that "It is nearly within [their] grasp to compute on all human generated information". In case the time embedding doesn't work, the money shot is at 26:12.
 

 

 

[TempestCatto]

So this explains the phantom battery drainage on Android (at least Samsung) devices then.

[Sauron]

17 hours ago, Ryan_Vickers said:

Pretty bad, but do we know what apps (apecifically, or at least what "kind") were abusing this (if any)?  It seems like the kind of thing that would only happen using sketchy no-name apps (we all know the kind... and if you don't you were probably a victim of this lol). 

It's a proof of concept, there's no evidence that it was exploited in the wild.

[Zodiark1593]

1 hour ago, maartendc said:

Well to be clear, there is no evidence this vulnerability WAS being exploited by any actual malicious apps.

 

The researchers just found it and made a proof of concept of the hack to show the vulnerability.

 

It is true that it is important to keep your devices up to date. This is one reason I would never own a Samsung smartphone, their software support is so bad... The main reason I own a Google Pixel at the moment.

One of the reasons I'll probably go with an iPhone when my current phone breaks. I tend to keep my devices for a long time, so a current model iPhone would probably actually be money well spent in my case.

[Doobeedoo]

Oh great, it's like this will never end. Really some apps having such permissions just like that, needs to stop.