Hackers Can Now Also Spy On You Using Your Smartphone Camera


Cybersecurity researchers have discovered a new threat in Android phone cameras that could allow an attacker to secretly take photos and record videos.

Written By Tanmay Patange | Mumbai | Updated On:

If you were under the impression that you could be spied only on WhatsApp using a highly intelligent and sophisticated software tool like Pegasus, you are not only wrong, but you are probably also in denial mode that your overall smartphone experience may be secure otherwise.

Internet is a risk-prone area, and we have already seen rather discussed numerous examples and incidents of cybersecurity threats, privacy breaches, malware and ransomware attacks that render your understanding of a 'secure or risk-free internet' completely obsolete.

Now, cybersecurity researchers have discovered a new threat in Android phone cameras that could allow an attacker to secretly take photos and record videos without your knowledge, let alone consent or permission.

Researchers at software security firm Checkmarx published a video on how they managed to exploit the loophole in Google Pixel 2 and Google Pixel 3 smartphones.

Watch the video demonstration of this camera hijacking below

READ | Google strengthens its fight against malware apps on the Play Store

Once researchers found a workaround, they were able to capture photos and record videos on the victim's phone. Researchers were also able to upload those photos and videos back to a remote command-and-control (C&C) server.

What raises concerns here is that researchers were able to bypass the permission policy, which is supposed to prevent apps from performing more tasks and activities than they should.

However, the implications of this privacy threat may not be limited to merely photos and videos. Researchers argue that hackers could also examine the EXIF data embedded within the stolen photos to locate your physical location.

Researchers could parse recent stolen photos for GPS tags, locate the phone on a global map, silently access camera to capture photos and record videos, record audios from a voice call and more.

"This means that a rogue application can take photos and/or videos without specific camera permissions, and it only needs storage permissions to take things a step further and fetch photos and videos after being taken. Additionally, if the location is enabled in the camera app, the rogue application also has a way to access the current GPS position of the phone and user," Checkmarx said in its blog post.

"Of course, a video also contains sound. It was interesting to prove that a video could be initiated during a voice call. We could easily record the receiver’s voice during the call and we could record the caller’s voice as well," it added.

By 2030, 40% Indians will not have access to drinking water