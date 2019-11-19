YOUR ANDROID CAMERA APP could be snooping on you thanks to a vulnerability that allows it to snap pics and record video without permission.

The flaw (CVE-2019-2234), which was found by researchers from Checkmarx, affects the Google camera and Samsung camera apps that haven't been updated since July this year.

In normal practice, third-party apps need to be given explicit permissions to access the camera, record audio, and access location data. These are referred to as intents.

But the researchers found that by giving app storage permission to a device's SD card, it could then allow the app to gain those camera app intents, but without being granted permission to do so.

With this in mind, the researchers said hackers could create a malicious app that gets storage access, and from there gain access to the camera apps' intents without permission from the user.

"A malicious app running on an Android smartphone that can read the SD card, not only has access to past photos and videos, but with this new attack methodology, can be directed to initiate (take) new photos and videos at will," the researchers said.

"And it doesn't stop there. Since GPS metadata is usually embedded into the photos, the attacker can take advantage of this fact to also locate the user by taking a photo or video and parsing the proper EXIF data."

Checkmarx's clever folks noted that access to storage is one of the most common permissions requested by Android apps, so the potential reach of such a vulnerability could be significant.

Before you hoof your Galaxy S10+ or Pixel 3a out of the window, Google said the vulnerability in both the Google and Samsung camera apps has been fixed.

But users will need to make sure they're running not only the latest version of Android but have the latest version of the camera app for their Android devices; we suspect auto-update processes may have taken care of that for a good few of you, but those who like to do things manually - stop laughing at the back - then best get updating. µ