What is the most un-nerving action hackers can do to your smartphone? Perhaps, hack into your camera and watch you as you go about your day? What about jack into your microphone and listen to everything you say in your daily meetings? Well, a series of vulnerabilities has been making news that allows attackers to do just that in your most personal devices.
How does this work?
Research teams at Checkmarx Security uncovered a way to bypass user permissions and manipulate specific smartphone actions. For this to work, the user must download a malicious mobile application through an app store. The malicious application itself doesn’t require any special permissions other than basic storage access which is common in mobile apps. Once the mobile application is installed on the phone, the app can issue an outbound connection from the phone to a server in the cloud that an attacker can control. The scary part is that the connection isn’t necessarily terminated just by closing the application.
What can be exploited using CVE-2019-2234?
- Take a photo using your smartphone camera.
- Record video using your smartphone camera.
- Record audio from both sides of a phone conversation.
- Record video of the user at the same time as capturing audio.
- Capture GPS tags from all photos use them to locate the current user.
- Access and copy stored photo and video information.
- Silence camera shutter sounds that alert the user when taking photos.
- The photo and video recording activity can be initiated even if the phone was locked.
- Upload all this information to a remotely controlled server.
What’s being done about this?
This vulnerability has been patched for the most part by Google back in July. However, many users still don’t update their phones when prompted. They also delay their security patches time and time again. The rogue application download has been an attack vector time and time again to attack personal cell phones. The important take away from this vulnerability is that you need to do something about mobile security. Whether that’s managing your company’s phones through a mobile device management application, or just having better security hygiene with your personal devices.
Written by Grant Codak
Grant has over a decade of IT experience spanning a variety of domains with a focus on defensive security. Grant is currently a Cybersecurity Expert at TechGuard Security where he performs a wide variety of proactive security services, including penetration testing. He also holds the following certifications: CISSP, CEH, Security+, Network+, A+, and Metasploit Pro Certified Specialist. Recent responsibilities include, a Senior Web Security Engineer at a Fortune 50 organization along with a variety of application administration roles in security operations. His past project work includes, web tool development as well as firewall and web proxy migrations. Currently at TechGuard Security, Grant conducts audit control assessments, penetration tests, vulnerability assessments and social engineering exercises. Grant ties his knowledge together with his deep understanding of network operations and security architecture to deliver approachable report analysis to clients. Grant is also a nature enthusiast and enjoys mountain biking, hiking and kayaking.