Hundreds of millions of Android phone cameras can be hijacked by spyware

A Samsung Galaxy S10 smartphone and a Google Pixel 3 smartphone side-by-side.
(Image credit: Future)

Rogue Android apps can hijack the default camera apps on Google and Samsung smartphones, and probably the camera apps on many other brands of Android phones, to take photos and record video and audio without the device users' permission. 

The apps can also view phone locations and other apps' files, turning the phones into perfect spying devices. Even the best Android antivirus apps might not be able to protect you.

This flaw has been patched in Google and Samsung devices, according to a blog post from Checkmarx, the Israeli security firm that found the vulnerability. But it's not clear how many other phone makers have taken similar steps. 

"These same vulnerabilities may affect other smartphone vendors and likely impacts hundreds of millions of Android users worldwide," states a demonstration video that Checkmarx posted on YouTube.

Now that the flaw is public knowledge, it won't be long before someone tries to exploit it in a real-life attack. If you own a Google Pixel or Samsung phone, make sure your camera app is fully up-to-date. As for other phone makers, we'll just have to wait for more information.

In fact, the Checkmarx researchers thought the flaw affected only Google's own Pixel phones — the Pixel 2 XL and Pixel 3 were directly tested -— until they told Google about it.

"Google informed our research team that the impact was much greater and extended into the broader Android ecosystem, with additional vendors such as Samsung acknowledging that these flaws also impact their Camera apps, and began taking mitigating steps," said a Checkmarx blog posting today (Nov. 19).

Google told Checkmarx that it has notified several other phone makers, but Checkmarx did not name them.

"According to Google, additional OEMs [original equipment manufacturers] also confirmed the flaws," stated the official Checkmarx report.

Incredibly, it turned out that any other app could call on the Google Camera app to take photos and record video without any special permissions. The only permission a rogue app would need to abuse the Google Camera app would be to write to an Android device's storage -- a very common permission used by thousands of apps.

The Checkmarx researchers created a proof-of-concept malicious weather app that established a permanent connection to a remote server. The app gave the human controlling that server a real-time video feed. 

If GPS location services were enabled on the targeted device, the hacker could see them too, as well as other files stored on the device. The attacker could also record the audio from both sides of a phone conversation.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.