MANCHESTER: Recently, a security flaw was made public that allowed the camera on your Android phone to spy on you. The vulnerability was found by security researchers at Checkmarx, and it allowed for an app with only storage permissions to take control of the camera app on your phone to take photos and videos.
The team at Checkmarx found this vulnerability to be present in both the Google Camera and Samsung Camera apps, as well as camera apps from other smartphone makers. In a video demo, Checkmarx used a Pixel 2 XL running Android 9 to show how this flaw worked and several scenarios of how it could be used to spy on you.
It starts by installing an app that only asks for storage permissions on your phone, a permission that is quite common among apps. In this case, Checkmarx used a weather app that then gave an attacker access to your phone with the ability to open the camera app and take photos or videos. Not only could the attacker remotely trigger your camera and view the photos or videos, but they could also view the GPS data to get your location, as well as check the status of the proximity sensor to ensure you were not looking at the phone to see the camera app was active.