Lindsey O’Donnell Welch: Welcome back to the threat post podcast. Samsung did not respond to a request for comment from Threatpost.īelow is a lightly-edited transcript of Threatpost’s podcast (above). A patch has also been made available to all partners.”
“The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. “We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure,” a Google spokesperson said in a media statement. 29 Samsung confirmed that its phones were affected. 18, multiple vendors were contacted regarding the flaw, and on Aug. Researchers reported the flaw on July 4 to Google’s Android security team. While researchers confirmed that Google Pixel and Samsung smartphones are impacted, they said that the issue affects the broader Android ecosystem, “presenting significant implications to hundreds of millions of smartphone users.” After that was granted, the app was then able to take photos and record videos on the victims’ phone (even if the phone is locked and the screen is turned off), access stored videos and photos, and the GPS metadata embedded in stored photos (to potentially locate the users). Researchers for their part created a proof of concept (PoC) app – a mock weather app – that only requested the basic storage permissions from users. In fact, it’s one of the most common requested permissions observed.”Īll an attacker would need to do to exploit this is create an app and lure victims into downloading it. “There are a large number of applications, with legitimate use-cases, that request access to this storage, yet have no special interest in photos or videos.
“Unfortunately, storage permissions are very broad and these permissions give access to the entire SD card,” said Checkmarx researchers, who discovered the flaw, in a Tuesday analysis. Listen to Threatpost’s interview with Checkmarx security head Erez Yalon, about the hack ( or download direct here). An app would normally need users to grant specific permissions for each of these functions (such as the, _AUDIO, _COARSE_LOCATION and _FINE_LOCATION) however, the “storage permissions” bundles in all these permissions automatically, unbeknownst to Android users. Researchers found that when a third-party application requests “storage permissions” from an Android phone user, it is able to access the camera, record video and access geolocation data embedded in stored photos. The issue was fixed for Google-manufactured phones in July – but Google said patches are still rolling out to smartphones in the broader Android ecosystem, including to Samsung phones. Researchers have disclosed a high-severity issue that could allow attackers to hijack the Google Camera App, the built-in smartphone camera for Android phones.
0 kommentar(er)
