CVE-2019-2234 is a brand new vulnerability that affects Google and Samsung smartphones.
The vulnerability, which can be described as a permission bypass issue, could allow attackers to hijack the device’s camera to take pictures or record video, even when the device is locked. The vulnerability was disclosed by Erez Yalon and Checkmarx.
The researchers analyzed the Google Camera app and discovered that “by manipulating specific actions and intents, an attacker can control the app to take photos and/or record videos through a rogue application that has no permission to do so”.
Furthermore, using certain attack scenarios, hackers can circumvent storage permission policies, thus accessing stored videos and photos, as well as GPS metadata embedded in photos. This information can be used to locate the user by taking a photo or video and parsing the proper EXIF data.
The same method can be used to exploit Samsung’s Camera app, the analysis showed.
“The ability for an application to retrieve input from the camera, microphone, and GPS location is considered highly invasive by Google themselves. As a result, AOSP created a specific set of permissions that an application must request from the user,” the analysis said. Thus, the researchers designed an attack scenario that bypasses the permission policy by abusing the Google Camera app in a way similar to what an attacker would do.
CVE-2019-2234 and the Dubious Case of “Storage Permissions”
The Checkmarx analysis also highlights the dubious nature of storage permissions. It’s a widely known fact that Android camera apps usually store photos and videos on the device’s SD card. Since photos and videos are classified as highly sensitive user information, apps need special permissions to access them, known as “storage permissions”.
The problem is that these permissions are too broad and could permit access to the entire SD card.
“There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos. In fact, it’s one of the most common requested permissions observed,” the researchers noted.
What does this mean? A malicious application is capable of taking photos and videos, and can abuse the very same storage permissions. In addition, if the location is enabled in the camera, the malicious app can also access the GPS location of the user’s device.
To prove that point the researchers developed “a proof-of-concept app that doesn’t require any special permission beyond the basic storage permission.” The proof-of-concept app mocked a weather application and had a client-part and a server-part, representing a command-and-control server typically used by attackers. Upon starting the app, a connection to the command and control server is initiated, where the app is waiting for instructions from the alleged attacker. It is crucial to note that closing the app doesn’t terminate the persistent connection.
Here is a list of malicious activities based on the CVE-2019-2234 vulnerability, that can be carried out by the operator of the command and control server:
- Taking a photo on the victim’s phone and uploading it to the C&C server
- Recording a video on the victim’s phone and uploading it to the C&C server
- Parsing all of the latest photos for GPS tags and locating the phone on a global map
- Operating in stealth mode whereby the phone is silenced while taking photos and recording videos
- Waiting for a voice call and automatically record video from the victim and audio from both sides of the communication.
“For proper mitigation and as a general best practice, ensure you update all applications on your device,” the researchers recommend.