Click to Skip Ad
Closing in...

Android users, beware: Huge security hole lets phones secretly spy on you and capture photos

Updated May 23rd, 2014 11:03AM EDT
Android Malware

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

We have seen some scary Android malware in the past, but a new report from former Googler and current software engineer turned accidental security researcher Szymon Sidor reveals that some simple code can force an Android phone to secretly capture photographs. The resulting images can then be uploaded to a remote server without the device’s owner ever knowing.

Writing on his blog Snacks for your mind, Sidor reveals that he has inadvertently uncovered a huge security loophole in Android.

“There are many apps on Play Store (if you are iPhone user think App Store) that aim at taking pictures without any visual indication (ACLU-NJ Police Tape, Mobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on,” Sidor wrote. “Some of them manage to record video without visible preview.”

With that in mind, Sidor decided to see if he could get an Android phone to take pictures — and ultimately send them to a remote server of his choosing — without the user ever knowing.

Unfortunately for Android users everywhere, he accomplished his goal.

In a nutshell, Sidor was able to create an app that gets around Android’s requirement that a preview must be displayed on a device’s screen when a photo is being captured. Actually, he didn’t really get around the requirement, but instead found a brilliant loophole:

Sidor’s software still displays a preview while capturing photos, but that preview feed is only displayed on one single pixel.

In other words, instead of showing the viewfinder preview feed on the phone’s entire screen, Sidor’s app sends the feed to just one pixel so it is basically invisible. Since modern smartphone displays have so many pixels, having one light up on a full HD display packed with more than two million pixels is impossible for the user to notice, whether the screen is on or off.

Horrifying indeed.

Sidor is the first engineer to publicly discuss this huge security hole, but there is no way to tell if he is the only person who has known about it and implemented it. In fact, it is entirely possible that malicious apps currently exist that are capable of spying on device owners by secretly capturing photos and transmitting them to remote servers.

Sidor’s post is a fascinating and terrifying read, and it’s linked below in our source section.

Zach Epstein
Zach Epstein Executive Editor

Zach Epstein has been the Executive Editor at BGR for more than 10 years. He manages BGR’s editorial team and ensures that best practices are adhered to. He also oversees the Ecommerce team and directs the daily flow of all content. Zach first joined BGR in 2007 as a Staff Writer covering business, technology, and entertainment.

His work has been quoted by countless top news organizations, and he was recently named one of the world's top 10 “power mobile influencers” by Forbes. Prior to BGR, Zach worked as an executive in marketing and business development with two private telcos.