When using the Camera API with Android 4.4, avoid using the Camera2 API as it has a high risk of being exploited via a Remote Code Execution (RCE) bug. The Camera2 API was recently released and is not yet widely adopted. This allows attackers to gain access to the microphone without the user being notified. When using the Camera2 API, ensure the app has camera permission.
AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to record video without camera privilege. When using the Camera2 API, ensure the app has camera permission.
Weak to Strong Reference
The Camera2 API was recently released. The Camera2 API is not widely adopted, which allows attackers to gain access to the microphone without user being notified. When using the Camera2 API, ensure the app has camera permission.
Weak reference: When using the Camera2 API, ensure the app has camera permission.
Strong reference: AtBroadcastReceiver in FactoryCamera prior to version 3.5.51 allows attackers to record video without camera privilege.
AtObjectFactory in FactoryCamera prior to version 3.5.51 allows attackers to gain access to the micr phone without the user being notified.
Android BroadcastReceiver
AtBroadcastReceiver in FactoryCamera before version 3.5.51 allows attackers to record video without camera privilege
When using the Camera2 API, ensure the app has camera permission.
Avoiding Remote Code Execution on Android 4.4
To avoid a vulnerability in the Camera API that allows an attacker to remotely execute code on your phone, you must use the Camera API version 2.2 or greater and ensure your app has camera permission before using the API. The most recent version of the Camera API is 2.3.
Timeline
Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/12/2022 01:12:00 UTC