Google and Samsung Fix Android Spying Flaw. Other Makers May Still Be Vulnerable (arstechnica.com) 10
Until recently, weaknesses in Android camera apps from Google and Samsung made it possible for rogue apps to record video and audio and take images and then upload them to an attacker-controlled server -- without any permissions to do so. Camera apps from other manufacturers may still be susceptible. From a report: The weakness, which was discovered by researchers from security firm Checkmarx, represented a potential privacy risk to high-value targets, such as those preyed upon by nation-sponsored spies. Google carefully designed its Android operating system to bar apps from accessing cameras and microphones without explicit permission from end users. An investigation published Tuesday showed it was trivial to bypass those restrictions. The investigation found that an app needed no permissions at all to cause the camera to shoot pictures and record video and audio. To upload the images and video -- or any other image and video stored on the phone -- to an attacker-controlled server, an app needed only permission to access storage, which is among one of the most commonly given usage rights.
The weakness, which is tracked as CVE-2019-2234, also allowed would-be attackers to track the physical location of the device, assuming GPS data was embedded into images or videos. Google closed the eavesdropping hole in its Pixel line of devices with a camera update that became available in July. Checkmarx said Samsung has also fixed the vulnerability, although it wasn't clear when that happened. Checkmarx said Google has indicated that Android phones from other manufacturers may also be vulnerable. The specific makers and models haven't been disclosed.
The weakness, which is tracked as CVE-2019-2234, also allowed would-be attackers to track the physical location of the device, assuming GPS data was embedded into images or videos. Google closed the eavesdropping hole in its Pixel line of devices with a camera update that became available in July. Checkmarx said Samsung has also fixed the vulnerability, although it wasn't clear when that happened. Checkmarx said Google has indicated that Android phones from other manufacturers may also be vulnerable. The specific makers and models haven't been disclosed.
Unsafe at any speed (Score:2, Insightful)
Most will never see this update (Score:5, Insightful)
Re: Most will never see this update (Score:3, Informative)
Re: (Score:3)
Just installed LineageOS on an old phone of mine on the weekend. Even as a very tech savvy person who is also a computer programmer, it was way too difficult. The instructions were basically completely wrong for loading the Recovery Tool, and I had to go find another completely different recovery tool. It's working great now, but I don't think the vast majority of end users could install a custom ROM on their phone. Most users could probably get Ubuntu or Windows 10 installed on an old computer without muc
LAFF (Score:2)
Google carefully designed its Android operating system to bar apps from accessing cameras and microphones without explicit permission from end users.
That gives me a BIG LAFF.
Shared storage (Score:2, Insightful)
Such a good idea to have a storage shared between apps... Then again, does anyone expect decent security design from any Google product?
LOL (Score:1)
This is so funny to read when you realize that Google is constantly spying on you 60 seconds per minute, 60 minutes per hour, 24 hours per day, 365 days a year.
Just reading "Google fixes Android spying flaw" is just too comical..
Of course they fix something that allows OTHER COMPANIES to spy but of course they are allowed to spy all they want :)
An easy fix (Score:3)
A simple way to limit the severity of these kinds of security issues would be to just put some damned hardware switches on the cameras and microphone that physically prevents their operation. Until then, this kind of thing will always be a potential problem.