According to an investigation by Checkmarx security researchers, some Android devices may have an unpatched security flaw that an app could use to record you without your knowledge using your device’s camera and mic.
No attacks that exploit the bug have been reported so far, thankfully. Still, the Checkmarx researchers were able to successfully create and execute commands that could remotely record phone calls; capture photos, video, and audio; access GPS metadata from photos; and even check whether the phone was facing down—meaning hackers may one day create their own clever attacks for devices running an unpatched version of a device’s default camera apps.
Google and Samsung released patches for impacted smartphones earlier this year, but Checkmarx’s report suggests that many other Android smartphones may still be affected. Fortunately, there are ways you can check if your device has been patched.
Check for the bug on Pixel phones
Pixel users can check for the patch easily: simply open your device’s settings then go to Apps & Notifications > See All Apps > Camera > Advanced > App details to open the app’s Google Play Store page. If the app has been updated since July 2019, you’re in the clear.
Check for the bug on other Android devices (manually)
If you’re not sure whether your smartphone’s manufacturer has issued an update for your phone’s camera app that fixes this bug, one way to find out is to try exploiting the bug yourself (which comes care of Ars Technica).
- A PC (this will work on Windows, Mac, and Linux).
- Your Android device.
- A USB cable to connect them.
Once you have those materials, here’s what you need to do:
- First, you’ll need to install and configure ADB tools on your PC. All the necessary files and instructions for installing ADB for your PC’s OS can be found on the XDA Developer Forums.
- After ADB is installed and configured, plug your Android phone into your PC with the USB cable. Next, we’re going to try to use codes to force the phone to take videos and photos without accessing the phone’s camera app.
- Open your PC’s command terminal. On Windows: Press “Windows Key+R,” then type “cmd” and hit “run.” On Mac: Press “Command+Space” to open the Finder, then type “Terminal” and double click the Terminal icon to run.
- In the command prompt window, run the following commands one at a time:
shell am start-activity
—ezextra_turn_screen_on true -a android.media.action.VIDEO_CAMERA
shell am start-activity
—ezextra_turn_screen_on true -a android.media.action.STILL_IMAGE_CAMERA
—ez android.intent.extra.USE_FRONT_CAMERA true
Open your phone’s camera app and go to your photo/video library to check if the commands worked. If you find a new photo or video, then the bug is present on your device.
If you haven’t updated your device’s camera app in awhile, try checking for updates via the Google Play Store. Once you’ve installed anything that’s available for your phone’s default camera app, try the above ADB commands again. If they still work, you should report the issue to your device’s manufacturer as soon as possible. In addition, stay away from unknown camera, video, or audio recording apps, since this is the most likely method for hackers to slip malicious code onto your device and take a few photos.