A researcher claims to have written an Android app that takes photos and videos using a smartphone camera, even while the screen is turned off – a pretty handy tool for a spy or a creepy stalker. University student Szymon Sidor claimed in a blog post and a video that his Android app works by using a tiny preview screen – just 1 pixel x 1 pixel – to keep the camera running in the background.
An extremely sophisticated Android app designed to spy on users has been discovered by security researchers
Now that most smartphones come with a camera (or two), and camera use is popular with apps like Instagram that encourage photo sharing, hackers are finding sneaky ways to exploit them. Spyware of this sort has been around for a long time for Windows – the malware called Blackshades for example, which hackers have used to secretly record victims with their computer’s webcam. This is the latest instance of an Android application that can hijack a smartphone or tablet’s camera for the same devious purpose. According to Sidor, the Android operating system won’t allow the camera to record without running a preview – which is how Sidor discovered that he could make the preview so small that it is effectively invisible to the naked eye.
“A few [potentially harmful application] authors spend substantial effort, time, and money to create and install their harmful app on one or a very small number of devices,” said Google in a blog post. “This is known as a targeted attack.”
NSO Group Technologies targeted human rights activist based in the Middle East with Pegasus, and it’s possible that the group was trying something similar with Chrysaor. “To install Chrysaor, we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device,” said Google. “Once Chrysaor is installed, a remote operator is able to surveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS.”
Sidor demonstrated how the app works in a video, using his Nexus 5 smartphone.
The result was amazing and scary at the same time – the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there. Allowing the camera to run in the background – without an indicator in the notification bar – is “inexcusable” and should be fixed by Google’s Android team, Sidor commented in his blog post.
SELFIE SPIES
There are other Android spyware apps readily available, such as mSpy, that allow snoops to access a device’s activity such as text messages, location, and even make audio recordings. In March 2014 we reported about a spyware app for Google Glass that could take photos without the Glass display being lit. Mike Lady and Kim Paterson, graduate researchers at Cal Poly, in California, uploaded to Play Store a Google Glass spyware app (disguised as a note-taking app called Malnotes). Google only discovered the Glass spyware and took it down from Play Store when the pair’s professor tweeted about their research experiment. Perhaps the researchers were wrong to knowingly violate Google’s developer policies to serve up their spyware – but it’s a warning sign that even the all-powerful Google can’t completely secure Google Play against malicious apps.
The best advice we have for Android users still applies here and in many other examples of bad apps:
- Stick as far as possible to Google Play.
- Avoid apps that request permissions they don’t need.
- Consider using an Android anti-virus that will scan apps automatically before you run them for the first time.
- Only installing apps only from reputable sources
- Enabling a secure lock screen
- Keeping devices up-to-date with the latest security patches
- Enabling Verify Apps (Settings > Google > Security > Verify Apps)
- Getting familiar with Android Device Manager, as “you are far more likely to lose your device than install a PHA”
(Reference :nakedsecurity.sophos.com/ )
