The personal data circus recently welcomed a new act -- one some consumers might not have known about, but one that definitely needs to be addressed if they haven’t done so already.
According to The Security Research Team at Checkmarx, a vulnerability was found in both the Google and Samsung camera app that allowed hackers to commandeer the app and take photos and/or record videos via a malicious application that had zero permission to go that far.
Making matters worse, the Checkmarx folks found that -- depending on how the attacks were set up -- a hacker could go into a consumer’s phone, skirt around various permission triggers, and access stored videos/photosb as well as any location data embedded in those files. That nuance is particularly concerning since that data could pinpoint exactly where the user was when the photo/video was taken.
“Our researchers determined a way to enable a rogue application to force the camera apps to take photos and record video, even if the phone is locked or the screen is turned off,” Checkmarx’ Erez Yalon wrote. “Our researchers could do the same even when a user was in the middle of a voice call.”
The fix is in
Thankfully, companies like Google and Samsung have the ability to act quickly, and they did exactly that when Checkmarx alerted them to the issue.
“We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson told ConsumerAffairs. “The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners.”
Checkmarx confirms that both Google and Samsung have issued a fix. All the same, every Google or Samsung user should take the time to make sure their respective camera apps are up to date.
“The professionalism shown by both Google and Samsung does not go unnoticed. Both were a pleasure to work with due to their responsiveness, thoroughness, and timeliness,” wrote Yalon.
“This type of research activity is part of our ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based smartphones and IoT devices, while bringing more security awareness amid the consumers who purchase and use them. Protecting (the) privacy of consumers must be a priority for all of us in today’s increasingly connected world.”