Security researchers from Checkmarx have found a vulnerability in the Android operating system loaded smartphones including Pixel 1 and 2 which steal data related to camera, microphone and GPS Location without the user’s consent.
The flaw dubbed as CVE- 2019- 2234 was discovered by the researchers when a rogue app was used to bypass security permissions of Google Play Protect transforming devices into spying machines.
Research wise, the team of security analysts cracked into the apps by infiltrating the controls of the cameras to recognize possible abuse scenarios that stem from permission bypass issues in Google Pixel 2 and 3 smartphones. Similar vulnerabilities were also found in the camera applications of other vendors using Android OSes.
Checkmarx, an Israel based application Security Company says that it was able to conduct espionage through a rogue weather app on targeted phones and was able to gain control of data stored on the devices including media files and financial info.
As soon as the app was started, it begins to connect with the Command and control server located remotely and started to conduct espionage on the phone data. However, the decision to spy on the device depended on the hacker’s mind and the data on the device. If the prima facie of the app analysis revealed the presence of sensitive info, then the device was put to scrutiny on a further note and all that data was copied and the data was designated to related servers.
Google received a warning on this note from Checkmarx in the last weekend. And has issued a press statement that it has already released a partial fix to its camera app in July ’19 and a more stringent one was on the way.
