Secretly taking a picture of the thief who stole your Android phone may sound like a cool feature, and it is. Most paid versions of Android antimalware offer it. It is also a double-edged sword according to this blog post by Szymon Sidor. If antimalware app developers can secretly take pictures, why can’t bad guys?

Sidor determined that many apps such as Mobile Hidden Camera were able to remove physical indicators of camera activity, including the click sound or a flashing LED. After some further checking, Sidor also determined there were telltale signs these apps did not remove.

This is because spy-camera apps may not necessarily show what the camera is seeing, but when the camera is on, there’s always some indication, albeit deceptive, on the screen. Sidor said that spy-cameras apps would also want to shut down the interface if possible, leading him to wonder what the antimalware app developers knew that the rest didn’t. He said, “What I wanted is to take pictures without the user knowing, and at any time, not only when the app is on.”

Sidor was interested in this because it is exactly what the bad guys would want. Sidor tried several ideas:

  • Make the preview invisible: Android just ignored this setting for preview.
  • Make the preview transparent: Again, Android just ignored this setting for preview.
  • Cover the preview with another screen: This partially worked: the view on top still obstructed the screen.

After those failed attempts, Sidor tried a different tack. He used one first introduced by spammers and those who surreptitiously track people visiting their website. Called a web bug, the virtually invisible 1X1 pixel image is implanted in an email or web page. For his project, Sidor reduced the camera’s preview feed that normally filled the smartphone’s entire display to a 1X1 pixel image. To get some idea of the size of one pixel, most HD phone displays consist of millions of pixels, so one pixel would be relatively easy to miss.

This video by Sidor demonstrates how images and other sensitive information were sent to a remote computer. Sidor also mentioned in the video that unlike normal camera operation, photos are not stored in the device’s picture gallery.

Precautions to take

Experts I asked were unaware of any malware using Sidor’s methodology. They also said if there was, it is most likely too new to be recognized by antimalware apps. With that in mind, Sidor offered the following ways to prevent this type of malware from gaining a foothold on Android mobile devices.

  • Pay attention to permissions. Do not agree to unnecessary permission requests, such as a flashlight app asking for access to the device’s camera.
  • Keep your Google account secure. If nefarious types have a user’s access, they can install a malicious app and then hide it.
  • Uninstall unused apps.
  • Pay attention to any noticeable increase in battery drain.
  • Check what background services are running. This How to Geek website explains various methods of removing unwanted services and apps.

Ransomware is making a strong comeback right now. Imagine if bad guys could add video to their extortion arsenal.

What to do about this feature/vulnerability is far from simple. It appears that in order to fix this so bad guys cannot take pictures secretly, Google may have to break the ability to take pictures of the bad guys who steal phones.