According to the inquirer, recently, a vulnerability has been exposed in the Android system, allowing attackers to secretly take photos and record videos without the permission of users.
The vulnerability number is cve-2019-2234, which is studied by the security company checkmarx. The vulnerability affects Google camera and Samsung camera App that have not been updated since July this year.
Under normal circumstances, third-party applications need explicit permissions to access cameras, record audio, and access location data. However, the researchers found that they only need to obtain the permission to access the SD card of the device. Without authorization, these applications can also obtain the permission to use the camera and microphone to capture video and audio.
The researchers said that in this way, hackers can create a malicious application to obtain storage access rights, and obtain the rights of the camera application from there without user permission.
Researchers said that this malicious app can not only access users' past photos and videos, but also start the camera to take new photos and videos at will. In addition, because GPS data is usually embedded in photos, hackers can also obtain user data by taking photos or video analyzing EXIF data.
At present, Google and Samsung said that the vulnerabilities of relevant camera applications have been fixed. Here's a reminder to Google and Samsung users to ensure that they are running not only the latest version of Android, but also the latest version of Android device camera application.