An alarming security vulnerability has been discovered in several models of Android smartphones manufactured by Google, Samsung, and others that could allow malicious apps to secretly take pictures and record videos — even when they don’t have specific device permissions to do so.
You must already know that the security model of the Android mobile operating system is primarily based on device permissions where each app needs to explicitly define which services, device capabilities, or user information it wants to access.
However, researchers at Checkmarx discovered that a vulnerability, tracked as CVE-2019-2234, in pre-installed camera apps on millions of devices could be leveraged by attackers to bypass such restrictions and access device camera and microphone without any permissions to do so.
How Can Attackers Exploit the Camera App Vulnerability?
The attack scenario involves a rogue app that only needs access to device storage (i.e., SD card), which is one of the most common requested permissions and does not raise any suspicion.
According to researchers, by merely manipulating specific “actions and intents,” a malicious app can trick vulnerable camera apps into…