A recently discovered Android exploit could give apps access to your camera, microphone, and location without asking for permission.
Many of us today entrust our mobile phones with everything from private photos to contacts, and it's become critically important in recent years that we keep our private information secure and manage who has access to it. Our phones all now come equipped with cameras, microphones, and GPS tracking capabilities that you wouldn't want just anyone having access to.
The permission system on Android phones is your first line of defense against dodgy apps that could be designed to spy on users or just harvest and sell their personal data. When you install an app from the Google Play store or open it, it tells you exactly what parts of the device it needs access to in order to do its job and you can quickly spot an app asking for something it definitely doesn't need such as camera permissions.
Security researchers at Checkmarx have discovered that a vulnerability in the pre-installed Camera app on Google and Samsung devices can accidentally give other apps on your phone access to the camera and microphone without permission. A malicious app can trick the built-in Camera app into taking photos or recording videos on its behalf, and the built-in app already has the required permissions.
The exploit can be executed by any app that has can access device storage, an unrelated and innocuous permission that many apps require to function. The worst part is that the exploit could function even if your phone is locked with the screen off, and an attacker could use the camera's GPS metadata feature to work out your location without asking for permission.
Source: The Hacker News, Checkmarx
