After a detailed analysis of the Google Camera app, our team found
that by manipulating specific actions and intents, an attacker can
control the app to take photos and/or record videos through a
rogue application that has no permissions to do so. Additionally,
we found that certain attack scenarios enable malicious actors to
circumvent various storage permission policies, giving them access
to stored videos and photos, as well as GPS metadata embedded in
photos, to locate the user by taking a photo or video and parsing
the proper EXIF data. This same technique also applied to
Samsung’s Camera app.
In doing so, our researchers determined a way to enable a rogue
application to force the camera apps to take photos and record
video, even if the phone is locked or the screen is turned off.
Our researchers could do the same even when a user was is in the
middle of a voice call.
Fixed in software updates from Google and Samsung before Checkmarx published this report, but it’s impossible to say if it had been exploited previously. An exploit like this would have been of keen interest to government spook agencies looking for ways to target individuals.