On November 19, cybersecurity firm Checkmarx revealed that months earlier it had uncovered an Android flaw allowing attackers to record and access audio and video through a smartphone without the user’s knowledge. Checkmarx notified Google about the flaw in July and it has since been fixed.
However, millions of Android users were vulnerable to being recorded by cybercriminals before the flaw was corrected. No one can know today how many users were exploited through this operating system vulnerability.
The flaw, dubbed CVE-2019-2234, allowed attackers to record both video and audio through smartphone cameras without the user’s knowledge and consent. Checkmarx discovered the vulnerability by developing a fake weather app to test Android phone security. Researchers found that it was possible for malicious users to disable camera shutter sounds, which meant they could turn on recording functions without alerting the user. Worse, the exploit did not require the malicious app to be open. It could be activated even when the phone was locked and the screen turned off.
In addition to video, attackers could exploit the flaw to listen in and record phone calls. It also allowed malicious apps to access data on the phone, including GPS metadata for pictures and videos. If users allowed the app to access phone data it could even upload the data to an external server.
Google corrected the flaw with a Google Play update in July. To make sure you’re protected, Make sure your camera app has been updated to the latest version.