thumbnail of 7b85c61f48b51c449899cfc4d052c4642bc0fddf5c87a8b02b89cad7c9c93827.jpg
thumbnail of 7b85c61f48b51c449899cfc4d052c4642bc0fddf5c87a8b02b89cad7c9c93827.jpg
7b85c61f48b51c449899c... jpg
(88.57 KB, 640x555)
From 8kun QR

The Googler confirms

Android Camera Security Threat: ‘Hundreds Of Millions’ Of Users Affected 


> Checkmarx created a proof of concept (PoC) exploit by developing a malicious application, a weather app of the type that is perennially popular in the Google Play Store. This app didn’t require any special permissions other than basic storage access. By just requesting this single, commonplace permission, the app would be unlikely to set off user alarm bells. We are, after all, conditioned to question unnecessary and extensive permission requests rather than a single, common, one. This app, however, was far from harmless. It came in two parts, the client app running on the smartphone and a command and control server that it connects to in order to do the bidding of the attacker. Once the app is installed and started, it would create a persistent connection to that command and control server and then sit and wait for instructions. Closing the app did not close that server connection. What instructions could be sent by the attacker, resulting in what actions? I hope you are sitting down as it’s a lengthy and worrying list.

> Take a photo using the smartphone camera and upload it to the command server.

 >Record video using the smartphone camera and upload it to the command server.

> Wait for a voice call to start, by monitoring the smartphone proximity sensor to determine when the phone is held to the ear and record the audio from both sides of the conversation.

> During those monitored calls, the attacker could also record video of the user at the same time as capturing audio.

> Capture GPS tags from all photos taken and use these to locate the owner on a global map.

> Access and copy stored photo and video information, as well as the images captured during an attack.

> Operate stealthily by silencing the smartphone while taking photos and recording videos, so no camera shutter sounds to alert the user.

> The photo and video recording activity could be initiated regardless of whether the smartphone was unlocked.



https://www.forbes.com/sites/daveywinder/2019/11/19/google-confirms-android-camera-security-threat-hundreds-of-millions-of-users-affected/