On Tuesday, researchers from cybersecurity company Checkmarx disclosed vulnerabilities in several Android devices, including Google's Pixel line and Samsung's Galaxy series. The security flaws would have allowed attackers to take photos and videos on the devices without people knowing, or to eavesdrop or do location tracking, according to Erez Yalon, Checkmarx's director of security research.
While it exploited Google Assistant, the vulnerability specifically affected Android devices because it was using app permissions.
Checkmarx informed Google and Samsung about the security issue in July. The two companies told Checkmarx they fixed the issue in a Play Store update the same month. While the patch is available, it's unclear if every affected device maker has issued the fix.
"We appreciate Checkmarx bringing this to our attention and working with Google and Android partners to coordinate disclosure," Google said in a statement. "The issue was addressed on impacted Google devices via a Play Store update to the Google Camera Application in July 2019. A patch has also been made available to all partners."
Samsung said since it was notified by Google about the issue, it's released patches to address all the potentially affected device models. "We value our partnership with the Android team that allowed us to identify and address this matter directly," Samsung said in a statement.
As devices gain advanced features like voice commands, they also introduce new ways for potential hackers to break in. Security researchers have found that voice assistants have provided a path for potential hacks through innovative ways like using lasers or not-so-advanced methods like yelling through a window.
"Every single thing that goes into our phones should be considered an input from the outside, and we cannot really trust it all the time," Yalon said. "Voice is definitely part of the attack surface. It is considered, but mistakes happen."
Checkmarx's researchers found that voice assistants present a vulnerability even without someone speaking. To exploit the security flaw, an app just has to send a voice-related code.
While most apps need permission to take photos or videos, voice assistant services like Google Assistant and Samsung's Bixby are considered trusted software, so they don't. For instance, Android apps that use the camera have to be given permission to run the command "android.media.action.VIDEO_CAPTURE," Yalon explained, but Google Assistant already has permission.
The researchers found that any app could take advantage of that loophole.
To demonstrate a potential attack, Checkmarx researchers developed an innocent-seeming weather app. The app would appear to give the latest forecast, but in the background, it could send a "voice" request to Google Assistant to take a photo or start recording video.
But you'd never hear it -- the app was doing it all in the code, Yalon said. The malicious app would then send all the content back to a server controlled by the researchers.
The vulnerability could have also allowed for location tracking and eavesdropping, Yalon noted. That's because most photos automatically log GPS coordinates in the image's metadata. Taking advantage of the Google Pixel's proximity sensor -- which knows when your phone is at your ear or face down -- the malicious app could also start recording videos when it knows a person isn't looking at the screen, capturing audio in the background.
Checkmarx even found that the recording could start during a phone call. The only permission that the malicious weather app required was access to storage, which it used to cover its tracks.
"With storage permissions, I can delete anything," Yalon said. "There would be no visible trails available. How would you know that I was eavesdropping?"