Yes, your smartphone camera can be used to spy on you...

Filed Under: Android, Featured, Google, Mobile, Privacy, Security threats

smartphone-camera-170Yes, smartphone cameras can be used to spy on you - if you're not careful.

A researcher claims to have written an Android app that takes photos and videos using a smartphone camera, even while the screen is turned off - a pretty handy tool for a spy or a creepy stalker.

University student Szymon Sidor claimed in a blog post and a video that his Android app works by using a tiny preview screen - just 1 pixel x 1 pixel - to keep the camera running in the background.

Now that most smartphones come with a camera (or two), and camera use is popular with apps like Instagram that encourage photo sharing, hackers are finding sneaky ways to exploit them.

Spyware of this sort has been around for a long time for Windows - the malware called Blackshades for example, which hackers have used to secretly record victims with their computer's webcam.

This is the latest instance of an Android application that can hijack a smartphone or tablet's camera for the same devious purpose.

According to Sidor, the Android operating system won't allow the camera to record without running a preview - which is how Sidor discovered that he could make the preview so small that it is effectively invisible to the naked eye.

Sidor demonstrated how the app works in a video, using his Nexus 5 smartphone.

Sidor said his app worked so well it was "scary":

The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)!

Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there.

Allowing the camera to run in the background - without an indicator in the notification bar - is "inexcusable" and should be fixed by Google's Android team, Sidor commented in his blog post.

Selfie spies

smartphone-spycam-170There are other Android spyware apps readily available, such as mSpy, that allow snoops to access a device's activity such as text messages, location, and even make audio recordings.

In March 2014 we reported at Naked Security about a spyware app for Google Glass that could take photos without the Glass display being lit.

Mike Lady and Kim Paterson, graduate researchers at Cal Poly, in California, uploaded to Play Store a Google Glass spyware app (disguised as a note-taking app called Malnotes).

Google only discovered the Glass spyware and took it down from Play Store when the pair's professor tweeted about their research experiment.

Perhaps the researchers were wrong to knowingly violate Google's developer policies to serve up their spyware - but it's a warning sign that even the all-powerful Google can't completely secure Google Play against malicious apps.

The best advice we have for Android users still applies here and in many other examples of bad apps:

  • Stick as far as possible to Google Play.
  • Avoid apps that request permissions they don't need.
  • Consider using an Android anti-virus that will scan apps automatically before you run them for the first time.


Free download (no registration, no time-limit)...

Images of smartphone camera and phone surveillance camera courtesy of Shutterstock.

, , , , , , , , , ,

You might like

12 Responses to Yes, your smartphone camera can be used to spy on you...

  1. Josh Kirschner · 90 days ago

    "This is one of the first reported instances, however, of an app that successfully uses the smartphone camera without the user's knowledge."

    I'm a little confused by your comment. There are many spyware apps that are capable of taking photos with a phone's camera without the user's knowledge, and these spyware apps have been around for quite some time.

    I've personally tested nearly a dozen spyware apps and can confirm many have this capability (http://www.techlicious.com/review/android-spyware-apps-how-dangerous-are-they/).

    While an antimalware app on your phone is a wise idea, it's also been my experience, in testing antimalware apps against spyware and speaking with representatives from the major antimalware firms (including Sophos), that companies have been far too willing to classify these types of programs as "potentially unwanted apps (PUA)", rather than true malware. PUA are often excluded from the malware listings, leaving you open to spying from a malicious actor.

    • Paul Ducklin · 88 days ago

      We updated the article to take your remarks into account...thanks!

      As for Sophos and PUAs, we do classify some of these "for sale openly" spyware apps as PUAs (e.g. mSpy), but that's just a post-detection category that we display.

      We still identify and block the mSpy app, and other PUAs, as threats as soon as you try to install them, same as for any other threat (outright malware or not).

      PUA detection can be turned off separately from other threat detections, but it is _on_ by default.

  2. Serpico · 90 days ago

    Just out of curiousity, would Sophos anti virus app have picked up the above mentioned spywares in its scan?

    • Paul Ducklin · 89 days ago

      I don't think the research app was released, so there's nothing to block. As for other spyware, generally Sophos will block it, e.g. mSpy (mentioned above).

  3. Anonymous · 89 days ago

    Okay, it's Android phone.... is that mean Iphone is safe?

    • Anonymous · 89 days ago

      The only "safe" device is no device..... If you follow security at all you'd know it just a matter of time before someone finds a working hack.

    • Josh Kirschner · 29 days ago

      No. The same spyware exists for iPhones, as well (I've tested it). Though in all cases I've seen, the iPhone must be jailbroken first.

  4. SpecterTechOps · 89 days ago

    Assume if it;s tech there is someone who knows how to make it not safe regardless of manufacturer and type ie. phone, pc, apple computer, or even some smart televisions. Precaution toward paranoia is the only true protection, unfortunately.

  5. Mathias Poujol-Rost · 87 days ago

    One of the numerous reason why I don't have a "smart"-phone.

    YOU shall be smart while buying & using it.

  6. CIA · 76 days ago

    Do you know since when is the ability to stealthily take photos available in the market, my research says since early 2013 is it true?

    • Josh Kirschner · 29 days ago

      Far longer. At least since 2011, probably earlier.

  7. 😁 · 76 days ago

    I got black tape stuck on mine works with even the most experienced hackers lol :p

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Zorabedian is a blogger, copywriter and editor at Sophos. He has a background in journalism, writing about technology, business, politics and culture. He lives and works in the Boston area.