Android Camera Security Threat: ‘Hundreds Of Millions’ Of Users Affected
>Checkmarx created a proof of concept (PoC) exploit by developing a malicious application, a weather app of the type that is perennially popular in the Google Play Store. This app didn’t require any special permissions other than basic storage access. By just requesting this single, commonplace permission, the app would be unlikely to set off user alarm bells. We are, after all, conditioned to question unnecessary and extensive permission requests rather than a single, common, one. This app, however, was far from harmless. It came in two parts, the client app running on the smartphone and a command and control server that it connects to in order to do the bidding of the attacker. Once the app is installed and started, it would create a persistent connection to that command and control server and then sit and wait for instructions. Closing the app did not close that server connection. What instructions could be sent by the attacker, resulting in what actions? I hope you are sitting down as it’s a lengthy and worrying list.
>Take a photo using the smartphone camera and upload it to the command server.
>Record video using the smartphone camera and upload it to the command server.
>Wait for a voice call to start, by monitoring the smartphone proximity sensor to determine when the phone is held to the ear and record the audio from both sides of the conversation.
>During those monitored calls, the attacker could also record video of the user at the same time as capturing audio.
