Sophos Cloud Optix
Yes, smartphone cameras can be used to spy on you – if you’re not careful.
A researcher claims to have written an Android app that takes photos and videos using a smartphone camera, even while the screen is turned off – a pretty handy tool for a spy or a creepy stalker.
University student Szymon Sidor claimed in a blog post and a video that his Android app works by using a tiny preview screen – just 1 pixel x 1 pixel – to keep the camera running in the background.
Now that most smartphones come with a camera (or two), and camera use is popular with apps like Instagram that encourage photo sharing, hackers are finding sneaky ways to exploit them.
Spyware of this sort has been around for a long time for Windows – the malware called Blackshades for example, which hackers have used to secretly record victims with their computer’s webcam.
This is the latest instance of an Android application that can hijack a smartphone or tablet’s camera for the same devious purpose.
According to Sidor, the Android operating system won’t allow the camera to record without running a preview – which is how Sidor discovered that he could make the preview so small that it is effectively invisible to the naked eye.
Sidor demonstrated how the app works in a video, using his Nexus 5 smartphone.
Sidor said his app worked so well it was “scary”:
The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)!
Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there.
Allowing the camera to run in the background – without an indicator in the notification bar – is “inexcusable” and should be fixed by Google’s Android team, Sidor commented in his blog post.
Selfie spies
There are other Android spyware apps readily available, such as mSpy, that allow snoops to access a device’s activity such as text messages, location, and even make audio recordings.
In March 2014 we reported at Naked Security about a spyware app for Google Glass that could take photos without the Glass display being lit.
Mike Lady and Kim Paterson, graduate researchers at Cal Poly, in California, uploaded to Play Store a Google Glass spyware app (disguised as a note-taking app called Malnotes).
Google only discovered the Glass spyware and took it down from Play Store when the pair’s professor tweeted about their research experiment.
Perhaps the researchers were wrong to knowingly violate Google’s developer policies to serve up their spyware – but it’s a warning sign that even the all-powerful Google can’t completely secure Google Play against malicious apps.
The best advice we have for Android users still applies here and in many other examples of bad apps:
- Stick as far as possible to Google Play.
- Avoid apps that request permissions they don’t need.
- Consider using an Android anti-virus that will scan apps automatically before you run them for the first time.
Images of smartphone camera and phone surveillance camera courtesy of Shutterstock.
“This is one of the first reported instances, however, of an app that successfully uses the smartphone camera without the user’s knowledge.”
I’m a little confused by your comment. There are many spyware apps that are capable of taking photos with a phone’s camera without the user’s knowledge, and these spyware apps have been around for quite some time.
I’ve personally tested nearly a dozen spyware apps and can confirm many have this capability (http://www.techlicious.com/review/android-spyware-apps-how-dangerous-are-they/).
While an antimalware app on your phone is a wise idea, it’s also been my experience, in testing antimalware apps against spyware and speaking with representatives from the major antimalware firms (including Sophos), that companies have been far too willing to classify these types of programs as “potentially unwanted apps (PUA)”, rather than true malware. PUA are often excluded from the malware listings, leaving you open to spying from a malicious actor.
We updated the article to take your remarks into account…thanks!
As for Sophos and PUAs, we do classify some of these “for sale openly” spyware apps as PUAs (e.g. mSpy), but that’s just a post-detection category that we display.
We still identify and block the mSpy app, and other PUAs, as threats as soon as you try to install them, same as for any other threat (outright malware or not).
PUA detection can be turned off separately from other threat detections, but it is _on_ by default.
If you haven’t allowed the installation of unknown sources on your phone on any apps but have been on dangerous websites quite a few times in the past but haven’t downloaded anything from them and you had multiple AV scans saying its clean how likely is it that you’re safe? Also if it has been a while and nothing has happened (no hacker has gone out to finally contact you and threaten you etc once he got stuff about you)
Can those photos they take can appear in the gallery?
I suggest that the answer is, “Yes, or no.” If malware can control your camera and the images it takes, then it’s almost certain that it can either add them where they will appear in the Gallery… or not, depending on what it wants. (In short, don’t rely on images grabbed by spyware showing up in the gallery as a way of spotting the problem.)
Just out of curiousity, would Sophos anti virus app have picked up the above mentioned spywares in its scan?
I don’t think the research app was released, so there’s nothing to block. As for other spyware, generally Sophos will block it, e.g. mSpy (mentioned above).
Okay, it’s Android phone…. is that mean Iphone is safe?
The only “safe” device is no device….. If you follow security at all you’d know it just a matter of time before someone finds a working hack.
No. The same spyware exists for iPhones, as well (I’ve tested it). Though in all cases I’ve seen, the iPhone must be jailbroken first.
Assume if it;s tech there is someone who knows how to make it not safe regardless of manufacturer and type ie. phone, pc, apple computer, or even some smart televisions. Precaution toward paranoia is the only true protection, unfortunately.
One of the numerous reason why I don’t have a “smart”-phone.
YOU shall be smart while buying & using it.
Do you know since when is the ability to stealthily take photos available in the market, my research says since early 2013 is it true?
Far longer. At least since 2011, probably earlier.
I got black tape stuck on mine works with even the most experienced hackers lol :p
How funny, mines covered with duct tape, haven’t solved the mic recording problem yet though,
Good idea. I thought of doing that
Haha. Spy all you want. I dont use credit cards and i dont care what you see. I wake up. Work. Eat. Poop. Sleep. If you want to spend all day taking pics of that go ahead. The zoo is probably more entertaining in my opinion. I dont understand why people are so scared.
Try being a woman with a cyber stalker.
Exactly
I am having a problem getting any kind of hardening software or anti hacking security software downloaded onto my android. I have a potential stalker and can’t seem to shake them Bc not knowing exactly what they or others who know them are capable of and don’t want to find out they have threatened loved ones and even me if I didn’t do as they want even when I kept saying no they they weren’t trying to hear it. So now Iam stuck in a very cconfusing situation and need urgent help getting This squashed so I can have peace of mind for me and my loved ones.
I think so too the person has recordings and seems to know where I am. I am wondering how they know this.
Lol this is kinda not good
Cameraless app is a good solution. it will block your camerae whenever you want.
I have had a weird feeling that my phones camera was taking pictures. It is a crazy world that people would do this.
What exactly does the spying party need to hack your phone?
Leading this to my own experience.. I was hacked and all my private photos were leaked to my college friends.. It was such a shame then..
So what is the best thing to do since all we do is online how do we keep safe from spys
Duct tape
Tape over the lens on your screen. Put a piece of paper over the lens and then tape the paper to the phone. So as not to ruin your lens.
🚫📷
YUP! I use post it notes to cover my camera.
ok so when im listening to music when i coverup the front camera my screen goes black..is that something i should worry about?
I think many phones use the front camera to help decide when your phone is in its case, or face down on the table, or against your head while making a call, and react accordingly (e.g. by locking, switching to silent mode, disabling the touch screen). So I assume that’s what’s happening.
It’s not the front camera that’s on, it’s a proximity sensor, which typically is a simple sensor which simply measures the amount of light it receives. It’s usually next to the front-facing camera, but can’t take normal pictures and only has a range of a couple of inches.
No that’s a motion sensor. Most smart phones have had that for a few years now, I think it used to be iris sensor on Samsung a few years ago
I’m more concerned about camera spying while I’m using the phone rather than when I have it locked (since it will probably be in my pocket anyway)
wait if thats true every nude ever taken can go viral
Can hackers use both the front and back cameras? How do you actually know whether or not someone’s spying on you through your phone? Is it just like, if you don’t have bad malware or apps, then you’re safe? I mean, I know the obvious solution is to cover up your phone’s camera with a sticky, but doesn’t that kind of defeat a lot of the purposes of phones anyway?
OK so we know smart phones can actually be hacked and someone can be watching me through my own lens on my phone but how do I know if it’s being done to me ??can you tell me please!!!! Can somebody simplify this answer ?
How do I detect if my phone is being hacked?
I think the earpiece on my phone is licking the wax out of my ears when I use it. On top of that I feel little spiders crawling into my mouth from the power connection port. Is this normal?
It’s not just the front and back cameras your pixels can be hacked ! So any place on your whole screen can be used as a camera so small you can’t see it . Nice,(not) hah!
To be clear, the pixel on the screen isn’t acting as a camera (the screen doesn’t act as a input sensor). The pixel serves only as a “display window” that is enough to make Android treat it as a camera app even though the camera part of the app is invisible.