The head of the security department at Checkmarx, Erez Yalon, spoke about the vulnerability found in the Camera app on Google and Samsung devices. The error allowed applications without the necessary permissions to take photos and videos even on a locked device.
- The vulnerability was found on smartphones Pixel 2 XL and Pixel 3, as well as on Samsung devices, but did not name specific ones. Companies allowed the publication of the report and announced a fix for the vulnerability. Google also sent a patch to its partners;
- Researchers said the vulnerability allowed third-party applications to control the camera without permission;
- Attackers could also gain access to photos stored on the device and take new pictures, even if the phone is locked or in voice call mode;
- The vulnerability allowed to record the voices of both interlocutors during a conversation and provided access to GPS tags. With this, attackers could track the movement of the device, according to Checkmarx;
- Researchers created a weather tracking application that requested only one permission – to access memory. They found that closing the application does not cut off the connection to the server, providing attackers with a list of all connected devices.