Google has revealed a vulnerability that can allow an attacker to control the built-in camera app on device, as well as take recordings and photos. The warning comes in the Android Security Bulletin for December 2019, which shows the usual patches to vulnerabilities and security holes the company can find in Android. It relies on an in-house cybersecurity team that performs penetration tests, as well as academics in computer science, who provide the team with potential security risks.
Not all vulnerabilities are the same, with some that are relatively harmless to the device. This ranges up to the very severe “critical” rating, which could potentially leak user data or stop the device from functioning. Three of these critical vulnerabilities have been found and patched for the December 2019 Security Update.
The most worrying bug, from a privacy standpoint, is the vulnerability that can allow an attacker to control the built-in camera app on device, as well as take recordings and photos.
The most severe of them all is a permanent denial of service attack that stops a user’s smartphone from functioning. The scariest thing about this exploit is that “user interaction is not needed for exploitation” and “no additional execution privileges” are needed. This means, technically, a line of code hidden within an app could be triggered remotely to “brick” a phone.
So how does protect themselves from having a phone remotely bricked? That depends on who makes it.
Google’s own Pixel phones will have received the update already via settings. Samsung, on the other hand, is still sending out its monthly Security Maintenance Releases. However, the non-flagships can expect to wait longer than those with flagships. On a Samsung Galaxy A6+, the latest security update remains October 2019.
This pattern continues through to other manufacturers like Huawei and LG, who have to test the new security patches against the myriad of devices they have on the market. This point makes security tricky.
Nevertheless, the best thing one can do now is ensure automatic updates over Wi-Fi is enabled. On most Android devices, one can head over to Settings, then to Software Updates (which is sometimes under About Phone). After the phone checks for an update, it will show which version it is using, as well as the security patch level.
A rule of thumb for those who store sensitive data on their smartphones: as soon as your phone stops receiving security patches, it’s time to get another one.
