A security firm says it has identified and fixed a vulnerability that could allow an attacker to steal credit card numbers and other sensitive information from a target user.
Key points:A security researcher from the company Secure Circle has discovered a vulnerability in its products that could enable attackers to steal a target’s credit card information from an attacker The flaw is limited to Android devicesThe flaw has been found and fixed by Secure Circle and was reported to Google in the last weekA security firm from the US and Germany has been working on a security vulnerability that is limited only to Android phones.
The bug, which is limited exclusively to Android smartphones, allows an attacker who has access to a target phone’s Android system to take control of the target phone, bypass security protections, access its camera and microphone and read the phone’s SMS messages, the researchers said.
The flaw is located in the Android system’s Camera API, which allows for the capture of image data from the camera or microphone.
The exploit does not need root access, the vulnerability is in the API’s permission mechanism and requires root access to run, the security researchers said in a blog post on Monday.
“This vulnerability is limited, only affects Android devices, but does allow attackers to capture credit card and other personal information from victims using the Android Camera API,” the vulnerability disclosure blog post said.
“We’ve already identified a fix, but we’ll be releasing more information as it becomes available.”
The vulnerability has been described as a “critical vulnerability”.
“The vulnerability we discovered allows an Android user to obtain a remote root access via the Android API and execute arbitrary code on the device,” the blog post explained.
“As a result, an attacker can remotely execute arbitrary commands on the target device by sending the victim a malicious text message, or the attacker can download a file or install a malicious app on the victim device by exploiting the same vulnerability.”
The flaw was discovered by a security researcher who goes by the name of Mr Secure, the disclosure blog said.
Mr Secure said he first identified the vulnerability last week, and the flaw was found in a security module in the Camera API that is used by many Android phones, including the Pixel 2 XL, Pixel 2 and Pixel 2XL, the Samsung Galaxy Note 8 and Note 10.
These devices are powered by Qualcomm’s Snapdragon 820 chipset, and include the Snapdragon 821 and 821X, the Snapdragon 820 and 820X, and all of the rest of the chipsets, including ARM processors.
“I was initially very sceptical of this vulnerability, as I knew it was a critical vulnerability that required root access,” Mr Secure said.
“However, once I discovered that the vulnerability existed, I began to work on a fix.”
The security researcher’s fix was to update the camera module, and his fix is now being pushed to Android users.
“Android devices running Marshmallow have had their camera API updated, making the vulnerability more exploitable,” Mr Security wrote.
“This vulnerability will be patched in a later release of Android.”
Google has since made it easier for users to patch the flaw.
Users can enable root access through the Security panel on Android devices with a tap on the Settings icon, and this access is controlled via the following menu: