Security firm Checkmarx recently disclosed an Android camera flaw which made it possible for third-party apps to spy on people. Google and Samsung devices were initially affected, but they have since issued patches to their camera apps. Other OEMs may still be susceptible to this vulnerability.
According to Checkmarx, the bug allowed unauthorized apps to record videos, take pictures, record audio, and log GPS locations. As long as the user gave the app permission to access storage, it could also upload the data to a remote server.
This is possible because of how Android handles app permissions. Since Marshmallow, Android utilizes pop-ups to allow app permissions like camera and microphone usage. The camera apps on affected devices didn’t need to ask for these permissions, and attackers could exploit that functionality to spy on Android users.
Checkmarx initially submitted a vulnerability report to Android’s Security team at Google in July. In August, Google and Checkmarx contacted multiple manufacturers regarding the vulnerability, and Samsung confirmed it was affected.
Google has also confirmed that Android partners now have access to a patch for this camera flaw. It has not publicly confirmed who has all been affected and if they have issued the patches or not. What we do know is that all Google Pixel and Samsung Galaxy handsets are officially rid of this vulnerability.