Are cell phones allowed in software companies?

Bug in many Android phones allows spying

Many Android phones have suffered a security gap: installed apps can circumvent access restrictions to the camera and microphone and create photos and videos, including sound, without the knowledge of the user. If the malicious app has normal access to stored data, it can also transfer the photos and videos to a server. This opens up enormous opportunities for espionage, as shown by a demonstration program (proof of concept) masquerading as a weather app.

At least Android phones with camera apps from Google and Samsung are affected, but possibly other Android phones as well. The problem was discovered by the Israeli software company Checkmarx. It informed Google at the beginning of July that in the same month the group released an update for its camera app. Samsung has since followed suit. Checkmarx made the gap public on Tuesday.

Quiet and quiet

The capture of photos and videos initiated by the attacker works even if the cell phone is locked and the screen is off, or if a phone call is being made. This makes it possible to use the sound of a recorded video not only to listen to the room in which the mobile phone is located, but also to record telephone calls in full. Because the attacker can also switch off the shutter sound of the camera, he is not noticed immediately.

Because the only indication of the espionage is that the camera image can be seen on the screen. This is less protection than you might think: the attacker app can use the proximity sensor to detect when the phone is facing down or when it is being held to the ear and only then take action.

If the user has failed to switch off the embedding of GPS data in photos, the attacker can also read this data and transfer it home. He can thus find out the current and previous locations of the cell phone. The vulnerability is identified by CVE-2019-2234. (ds)

Read comments (178) Go to homepage
Ad ad