Explore a critical security research presentation revealing 0-day vulnerabilities in Android smartphones. Delve into the manipulation of actions and intents that allow unauthorized camera control without specific permissions. Learn about Android terminology, exported activities, permission checks, and the creation of rogue applications. Examine the implications for user privacy, including unauthorized selfies, screen capture, and location metadata extraction. Follow the disclosure timeline, Google's response, and the impact on other Android vendors. Gain insights into the intersection of voice assistant features and potential security risks in this eye-opening 28-minute Black Hat conference talk by Erez Yalon.
Hey Google, Activate Spyware! - When Google Assistant Uses a Vulnerability as a Feature
Overview
Syllabus
Introduction
Android Terminology
Hey Google Take a Selfie
Intents
Permissions
Summary
Analyzing exported activities
Not looking for permission checks
Creating a rogue application
Persistence
Application
Hacking the Phone
The Screen
Back to the List
Location Metadata
Rogue Application
Proximity Sensor Activation
What Hackers Really Want
Disclosure Timeline
Other Android Vendors
Google Response
Conclusion
Taught by
Black Hat
