Until recently, weaknesses in Android camera apps from Google and Samsung made it possible for rogue apps to record video and audio and take images and then upload them to an attacker-controlled server—without any permissions to do so. Camera apps from other manufacturers may still be susceptible.

The weakness, which was discovered by researchers from security firm Checkmarx, represented a potential privacy risk to high-value targets, such as those preyed upon by nation-sponsored spies. Google carefully designed its Android operating system to bar apps from accessing cameras and microphones without explicit permission from end users. An investigation published Tuesday showed it was trivial to bypass those restrictions. The investigation found that an app needed no permissions at all to cause the camera to shoot pictures and record video and audio. To upload the images and video—or any other image and video stored on the phone—to an attacker-controlled server, an app needed only permission to access storage, which is among one of the most commonly given usage rights.

The weakness, which is tracked as CVE-2019-2234, also allowed would-be attackers to track the physical location of the device, assuming GPS data was embedded into images or videos. Google closed the eavesdropping hole in its Pixel line of devices with a camera update that became available in July. Checkmarx said Samsung has also fixed the vulnerability, although it wasn't clear when that happened. Checkmarx said Google has indicated that Android phones from other manufacturers may also be vulnerable. The specific makers and models haven't been disclosed.

"The ability for an application to retrieve input from the camera, microphone, and GPS location is considered highly invasive by Google themselves," Checkmarx Director of Security Research Erez Yalon wrote in Tuesday's analysis. "As a result, AOSP created a specific set of permissions that an application must request from the user."

To demonstrate the risk, Checkmarx developed a proof-of-concept rogue app that exploited the weakness. It masqueraded as a simple weather app. Hidden inside were functions that could:

Take pictures and record videos, even when the phone was locked, the screen was off, or the app was closed

Pull GPS data embedded into any photo or video stored on the phone

Eavesdrop and record two-way phone conversations and simultaneously record video or take images

Silence the camera shutter to make the spying harder to detect

Transfer any photo or video stored on the phone to an attacker-controlled server

List and download any JPG image or MP4 video stored on the phone's SD card

An attack wouldn't be completely surreptitious. The screen of an exploited device would display the camera as it recorded video or shot an image. That would tip off anyone who was looking at the handset at the time the attack was being carried out. Still, the attack would be able to capture video, sound, and images at times when a phone display was out of eyesight, such as when the device was placed screen down. The app was able to use the proximity sensor to determine when the device is face down.

Checkmarx's PoC app was also able to use a phone's proximity sensor to detect when it was held to a target's ear, as often happens during phone calls. The app was able to record both sides of the conversation. It could also record video or take images, a useful capability in the event the back of the phone was facing a whiteboard or something else of interest to an attacker. Checkmarx's report includes a video demonstrating the capabilities of the PoC app.

In a statement, Google officials wrote: "We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure. The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."

Samsung officials wrote: "Since being notified of this issue by Google, we have subsequently released patches to address all Samsung device models that may be affected. We value our partnership with the Android team that allowed us to identify and address this matter directly."

The statement didn't say when Samsung released the fix or how Samsung customers can check if the patch has been installed.

Checkmarx said Google has privately indicated that other makers of Android phones besides Samsung may also be vulnerable. Google's statement didn't directly confirm this or say if any other manufacturers have installed an update.

In an email, Checkmarx's Yalon said it wasn't clear why apps could access the camera without the user providing permission. He speculated that the weakness may be the result of Google making the camera work with the voice-activated Google Assistant and other manufacturers following suit.

Users of Pixel phones can confirm they aren't vulnerable by accessing Apps and Notifications from the settings menu, choosing Camera > Advanced > and App details. The screen should show that the app has been updated since July (and ideally much more recently than that).

Checking if other Android phones are susceptible will be difficult for most users. Those who are more technically skilled can run the following command:

$ adb shell am start-activity -n

com.google.android.GoogleCamera/com.android.camera.CameraActivity --ez

extra_turn_screen_on true -a android.media.action.VIDEO_CAMERA --ez

android.intent.extra.USE_FRONT_CAMERA true

The above command will force the phone to take video. The following command will force the phone to take a photo:

$ adb shell am start-activity -n

com.google.android.GoogleCamera/com.android.camera.CameraActivity --ez

extra_turn_screen_on true -a android.media.action.STILL_IMAGE_CAMERA -

-ez android.intent.extra.USE_FRONT_CAMERA true --ei

android.intent.extra.TIMER_DURATION_SECONDS 3

The skill and luck required to make the attack work reliably and without detection are high enough that this type of exploit isn't likely to be used against the vast majority of Android users. Still, the ease of sneaking malicious apps into the Google Play store suggests it wouldn't be hard for a determined and sophisticated attacker to pull off something like this. No wonder phones and other electronics are barred from SCIFs and other sensitive environments.