An exploit has been found regarding Google’s default camera app along with numerous other camera apps from different vendors. A team of security researchers have found a way to access the phone’s storage to bypass Android’s permissions and although most phones have already been patched against it it’s good to know for those that use side-loaded apps or custom ROMs with no updates.
Google makes third-party apps request permission to access the phone’s photos and videos as well as accessing the default camera app but researchers were able to get permission on a rogue app without the user’s explicit agreement. By manipulating specific actions and intents, the attacker can gain control over the camera app meaning, he or she can take photos and record videos without the user’s consent.
In addition, certain scenarios also allow the attacker to gain control over the device’s storage as well as GPS metadata stored in photos’ and videos’ EXIF. Here, watch the video below and see how the group hijacks a Pixel 2 XL phone.
The backdoor could be found not only on Pixel devices but phones from other vendors as well, with Samsung in particular named. The update was found back in July and the research team contacted Samsung and Google, which quickly issued patches for the camera apps of their phones.
The search giant has also contacted all OEMs about the exploit and distributed a patch so everyone using official software and still getting support by their manufacturer should be safe. You can learn more about the exploit by following the source link below.