Android camera apps may soon be creeping on you covertly

Nexus-5-camera

Your Android-powered devices could be watching your every move – and you may not know a thing about it.

New research has revealed that Android applications have the ability to quietly take photos and videos in the background and then send them on to others without alerting the user. The discovery could open the door to a new kind of Android malware that doesn’t try to steal your money or your personal data, but instead spies on you as you use your mobile devices.

“I discovered this almost by accident while doing a team project for a Computer and Network Security course at my university,” writes Szymon Sidor, a student at the University of Cambridge, on his personal blog. Having become bored of building hacks for PC webcams, Sidor turned his attention to Android to see if it was possible to recreate them for mobile.

Sidor found during his initial research that using the camera on an Android device “technically requires a preview to be displayed on screen,” but he was encouraged by apps already available in Google Play that allow users to take pictures and videos without obvious preview windows.

His ultimate goal was to create a covert camera app that showed no onscreen preview, and didn’t even have to be running in the background — at least visibly — to take pictures.

Sidor’s first attempt at creating such an app was unsuccessful — Android’s restrictions meant it simply wouldn’t work — but he then “remembered something that later turned out to be very relevant” — that Facebook’s Chat Heads feature could continue running even when the accompanying Messenger app was not.

“This turned out to be indeed the right track,” Sidor writes. Sidor then built a camera app that did have a preview screen, but was attached to a background service that was mostly invisible to the user; it could not be seen in multitasking menus or the recent apps tray.

He was halfway there. All Sidor had to do now was find a way to hide the onscreen preview. Making it invisible, transparent or attempting to mask it with another view didn’t work. The solution was ingenious.

Sidor made the preview window as small as it could be — just 1 pixel wide by 1 pixel tall. “The result was amazing and scary at the same time,” he recalls. “The pixel is virtually impossible to spot on [a] Nexus 5 screen (even when you know where to look)!”

What Sidor had created was a camera app that is nearly invisible to the user. It’s attached to a background service that would be almost impossible for the average person to find, and its preview window is so small it’s unlikely you’d ever notice it with the naked eye — especially on a 1080p display.

And even if you did notice it, you’d probably think it was just a stuck pixel. After all, who would believe that a tiny oddity on their display could be a sign of a nasty camera app monitoring them in the background?

Sidor’s app is simply a proof of concept, but it’s certainly possible that a trick like this could be used to spy on unsuspecting Android users. So how do you avoid it?

Well, as always, you shouldn’t install apps that weren’t obtained from reputable sources — that’s just common sense for Android users. When installing apps you do trust, you should double-check their permissions requests to ensure they aren’t attempting to access your camera or other features unnecessarily.

Google could prevent exploits like this one by introducing rules and restrictions for camera apps. For example, it could disable preview windows below a certain size, and ensure that camera actions performed by background services are indicated by an icon in the status bar — just like Bluetooth or GPS.

In the meantime, follow the advice above when installing apps, and don’t assume that an unusual pixel is nothing but a stuck pixel.

Related