As if advertisers didn’t have enough online fraud to worry about, now a security company reports a vulnerability affecting Google and Samsung smartphones that can bypass user permissions in the advanced Google Camera app on the Pixel 2XL and Pixel 3 smartphones.
The vulnerability, which allows hackers to take pictures and listen in on conversations when a user lifts the phone to their ear, has the potential to impact hundreds of millions of Android users.
It’s not clear how the vulnerability will influence commerce on smartphones, but it certainly will have an effect on how future products are developed.
In a blog posted this week, Checkmarx analysts explain the vulnerabilities discovered, provide details of how they were exploited, note the consequences, and describe how users can safeguard their devices.
Checkmarx said the findings were shared with Google, Samsung, and other Android-based smartphone original equipment manufacturers.
An attacker can control the app to take photos and/or record videos, including a voice call, through a rogue application that has no permission.
Certain instances enable malicious actors to circumvent various storage permission policies, giving them access to stored videos and photos, as well as GPS metadata embedded in photos to locate the user by taking a photo or video and parsing the proper EXIF data.
Researchers created a video to demonstrate how dangerous this situation could be for Android users. The vulnerability report was sent to Google on July 4, 2019.
The vulnerabilities are now fixed.