They also found that the same vulnerabilities impact the camera apps of other smartphone vendors in the Android ecosystem. They specifically cited Samsung's camera app as vulnerable. The team found in testing that by manipulating specific actions and intents, an attacker can control the app to take photos and record photos through a rogue process that should have no permission to do so.
Checkmarx also notes that it found specific attack scenarios that could enable malicious actors to circumvent various storage permission policies to give them access to stored videos and photos along with GPS metadata embedded in photos; that data could be parsed to locate the user. One way the researchers found enabled a rogue application to force the camera to take pictures and record videos even if the phone is locked or the screen turned off. The researchers were able to force video and images to be taken even when the user was in the middle of a voice call.
Allowing an app to receive input from the camera, mic, and GPS location is highly invasive, according to Google (or course). The team was able to design an attack scenario that circumvents the permission policy by abusing the Google Camera app itself. The vulnerability has to do with giving permissions to external storage, which provides an app with access to the entire SD card. The team says that when activated during a voice call, the hacker could record the voices on both ends of a conversation.
Checkmarx says that it has already notified Google of its findings, and the company updated vulnerable versions of the Camera App in July 2019.