Yes, smartphone cameras can be used to spy on you – if you’re not careful.
A researcher claims to have written an Android app that takes photos and videos using a smartphone camera, even while the screen is turned off – a pretty handy tool for a spy or a creepy stalker.
University student Szymon Sidor claimed in a blog post and a video that his Android app works by using a tiny preview screen – just 1 pixel x 1 pixel – to keep the camera running in the background.
Now that most smartphones come with a camera (or two), and camera use is popular with apps like Instagram that encourage photo sharing, it’s a little surprising it has taken so long for hackers to find sneaky ways to exploit them.
Spyware of this sort has been around for a long time for Windows – the malware called Blackshades for example, which hackers have used to secretly record victims with their computer’s webcam.
But this seems to be the first reported instance of an Android application that can hijack a smartphone or tablet’s camera for the same devious purpose.
According to Sidor, the Android operating system won’t allow the camera to record without running a preview – which is how Sidor discovered that he could make the preview so small that it is effectively invisible to the naked eye.
Sidor demonstrated how the app works in a video, using his Nexus 5 smartphone.
Sidor said his app worked so well it was “scary”:
The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)!
Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there.
Allowing the camera to run in the background – without an indicator in the notification bar – is “inexcusable” and should be fixed by Google’s Android team, Sidor commented in his blog post.
There are other Android spyware apps readily available, such as mSpy, that allow snoops to access a device’s activity such as text messages, location, and even make audio recordings.
This is one of the first reported instances, however, of an app that successfully uses the smartphone camera without the user’s knowledge.
But just because this Android vulnerability is something that researchers are just recently discovering doesn’t mean others haven’t tried to exploit it maliciously.
In March 2014 we reported at Naked Security about a spyware app for Google Glass that could take photos without the Glass display being lit.
Mike Lady and Kim Paterson, graduate researchers at Cal Poly, in California, uploaded to Play Store a Google Glass spyware app (disguised as a note-taking app called Malnotes).
Google only discovered the Glass spyware and took it down from Play Store when the pair’s professor tweeted about their research experiment.
Perhaps the researchers were wrong to knowingly violate Google’s developer policies to serve up their spyware – but it’s a warning sign that even the all-powerful Google can’t completely secure Google Play against malicious apps.
The best advice we have for Android users still applies here and in many other examples of bad apps:
- Stick as far as possible to Google Play.
- Avoid apps that request permissions they don’t need.
- Consider using an Android anti-virus that will scan apps automatically before you run them for the first time.