Checkmarx, a cybersecurity firm, found out that a Samsung or Google camera app can be used as a spy camera without the knowledge of the owner.
Pexels

Checkmarx is a cybersecurity firm and according to a recently released report, they have discovered a major flaw in the Android operating system. Researchers found that Android mobile phone cameras can be accessed and used to spy on users by simply using an app. Apparently, it can also take photos and videos, but the most discerning element is that it can also access everything that owners have stored in their phone, including GPS locations.

The flaw has been dubbed, CVE-2019-2234. The cybersecurity firm was able to uncover this flaw after they created a fake weather app.

In an article published in Android Central, these vulnerabilities are both present in Samsung Camera, Google Camera apps and other camera apps. Checkmarx showed a video featuring how this flaw worked and how it whas the ability to spy on owner.

How did Checkmarx discover this flaw in Android phones and what are its effects?

  • Checkmarx first downloaded an app, in this case they downloaded a fake weather app that Checkmarx created. It allowed storage permission after the app was installed. Then, it gave the attacker access to the phone's storage that includes photos and videos.
  • The most alarming part is it can access the GPS and pinpoint the location of the owner. It has also a sensor that would notify the attacker if the owner is looking or using the camera.
  • Since the attackers now have access to the owner's phone, they now have the capabilities of recording audio, most importantly, phone calls.

This incident of turning a phone into a spy camera became viral in a Facebook bug which required the owner of the iPhone to open the camera, but requiring user permission first before it can be accessed. In a report from Checkmarx the first recorded incident of the spy camera issue was in July through a Google camera app.

In August, Samsung also confirmed the same problem. With this, both Samsung and Google allowed Checkmarx to publish a report about the vulnerabilities of their cameras to give awareness to their users.

A Google spokesperson provided a statement to Checkmarx, "We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure."

The Director of Security Research at Checkmarx, Mr. Erez Yalon, said that the flaw they found in Google camera may be triggered or coming from its own voice assistant app which allows access to the camera and other files. Moreover, Checkmarx is still looking for other android apps that may be vulnerble to the flaw other than Google and Samsung camera apps.

However, as of now, there are only two companies who were found to have these vulnerabilities in their products. It is believed that hundreds of thousands of people could be impacted by this flaw. One of the best ways to personally mitigate yourself from being spied on is to always update your devices with the latest version of the operating system.