Android security loophole lets apps take and upload pics without you knowing

Google is always keen to downplay the problem of malware on Android, for obvious reasons, but that doesn’t make the underlying threats any less troubling. New threats are being discovered all the time, and as the platform grows - with over 1.5 million Android devices being activated every day - the potential to infect ever more devices grows too. 

It must be said that Google does a pretty decent job when it comes to eliminating malware from its own Play Store - less than 0.1% of apps there contain malicious code, according to F-Secure (pdf) - and efforts such as on-device monitoring have also helped to limit the impact of rogue software. But third-party Android stores fare considerably worse than this; according to Forbes, in one third-party store, a staggering 33% of apps were found to be infected.

One such threat was documented by security researcher Szymon Sidor this week, who found that by creating an app that exploited a simple loophole in the OS, he was able to get a device to capture photos using its camera, and then upload them to a remote server, without the user having so much as a hint that anything untoward had happened.


Your phone could be taking photos of you looking like this, without you knowing!

Sidor said that he had observed numerous apps on Google Play that were capable of taking photos covertly, but each of them required a visible indication of the app’s activity on screen and, critically, for the screen to be switched on. As he wrote on his Snacks For Your Mind blog, he set about trying to see if there was a way to perform the same task, but without that visible indication.

He succeeded, and he was able to do so by exploiting a simple loophole in Android’s security features. Android requires that, when a photo is being taken, a preview of the image viewfinder must be shown on the screen; it’s a measure to ensure that users know that the camera is engaged and not taking photos or videos of them without their knowledge.

But Sidor adjusted the code in his testbed app to continue displaying that preview, but only on a single pixel. That makes it completely impossible for a user to be able to see the preview, and therefore none the wiser if an app were to covertly be capturing snaps of them and uploading them elsewhere. The app was also able to capture other details from the device, such as battery level (crucial in helping to avoid detection of the app via its battery drain), and even the current location of the device. Check out the video below: 

Perhaps the most disturbing finding is revealed in this little snippet (emphasis is ours):

The result was amazing and scary at the same time – the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there.

Sidor’s post on his findings is well worth a read – and he also includes a few handy tips on how to protect yourself from the threat of malicious apps on your Android device. He acknowledges that he was not, in fact, the first to discover this flaw, but also adds that he has contacted Google with the details of his own research, in the hope that they will close the loophole with a future security patch.

He ends his post with a simple request to Android’s security team: “Please put more effort into ensuring users’ privacy.” 

Source: Snacks For Your Mind via BGR | Businessman looking at phone image via Shutterstock

Report a problem with article
Previous Story

Rumors hint at Samsung entering the virtual reality business

Next Story

Report claims Google working on "Project Tango" 3D mapping tablet

65 Comments

Commenting is disabled on this article.

I currently use a Lumia 625...

Here is what Google asked for in order to allow me to use their STORE and MAPS services:

Device information

We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account.

Log information

When you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include:

details of how you used our service, such as your search queries.

telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.
Internet protocol address.
device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.

cookies that may uniquely identify your browser or your Google Account.

Location information

When you use a location-enabled Google service (MAPS), we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers.

TONS MORE HERE: http://www.google.com/policies/privacy/

I don't know what Apple asks for these days but Microsoft doesn't require anything of the sort...

Only 0.1% of the android market contains known exploits. Since you can't count the ones you don't know, like possible apps that does this and have done this for months theoretically.

architecton said,
That's one of the many reasons why I ditched Android... I don't trust Google.
all the companies are the same... use whatever since the (harmless anyways) data collection goes on no matter what ecosystem you use.

architecton said,
That's one of the many reasons why I ditched Android... I don't trust Google.

Nothing you can do about it... same way you go out in the street and someone in the car with his/her camera, taking photos of you without you knowing.

architecton said,
That's one of the many reasons why I ditched Android... I don't trust Google.

You can't trust in any vendor. They (vendors) are not our friends.

You ditch Android because you don't trust Google?

iOS has issues too, so you won't trust Apple either?

Microsoft has problems with the OS, so you won't trust Microsoft?

As of now, you cannot trust any company.

EZRecovery said,
You ditch Android because you don't trust Google?

iOS has issues too, so you won't trust Apple either?

Microsoft has problems with the OS, so you won't trust Microsoft?

As of now, you cannot trust any company.

Well he can go back to Blackberry...

EZRecovery said,
You ditch Android because you don't trust Google?

iOS has issues too, so you won't trust Apple either?

Microsoft has problems with the OS, so you won't trust Microsoft?

As of now, you cannot trust any company.

I currently use a Lumia 625...

Here is what Google asked for in order to allow me to use their STORE and MAPS services:

Device information

We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). Google may associate your device identifiers or phone number with your Google Account.

Log information

When you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include:

details of how you used our service, such as your search queries.

telephony log information like your phone number, calling-party number, forwarding numbers, time and date of calls, duration of calls, SMS routing information and types of calls.
Internet protocol address.
device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL.

cookies that may uniquely identify your browser or your Google Account.

Location information

When you use a location-enabled Google service (MAPS), we may collect and process information about your actual location, like GPS signals sent by a mobile device. We may also use various technologies to determine location, such as sensor data from your device that may, for example, provide information on nearby Wi-Fi access points and cell towers.

TONS MORE HERE: http://www.google.com/policies/privacy/

I don't know what Apple asks for these days but Microsoft doesn't require anything of the sort...


architecton said,

I currently use a Lumia 625..

Just because it doesn't ask doesn't mean its not being collected. Google tries to be 100% transparent and puts this disclaimer up so you can see WHAT you are agreeing to when installing whatever app you are installing. Windows apps collect the same thing WITHOUT telling you. Same with apple.

rippleman said,

Just because it doesn't ask doesn't mean its not being collected. Google tries to be 100% transparent and puts this disclaimer up so you can see WHAT you are agreeing to when installing whatever app you are installing. Windows apps collect the same thing WITHOUT telling you. Same with apple.

Microsoft OFFICIALLY doesn't gather any personal data without prior warning or user consent. Google DOES.

I'm not referring to 3rd party apps.

night_stalker_z said,
This happens on iOS as well and you don't even need a viewfinder present although you need to have the app open.
which app can you reference this claim too?

For those with Google Play, Nexus, or near stock phones will probably get updated soon. Google was fast to patch the last one. And if Pandora wants to take pics of me getting ready for work in the morning, then I feel for them and not responsible for the consequences.

Just another day. Tomorrow, another flaw will be found somewhere.

techbeck said,
For those with Google Play, Nexus, or near stock phones will probably get updated soon...

This is the inherent problem with Android. Without centralized updates that get pushed to all of the Android devices, its unsuitable for the enterprise. Even if they pushed the update to the current and last generation devices, it means waiting for the OEM to provide that update. That could be months or never getting it. BYOD for android is far too unreliable for any environment that requires any bit of security regardless of it being a forked version or not.

Android has never really been about the Enterprise. And hopefully people will open their eyes to the benefits of using stock Android. Faster updates, longer support, better performance....

'$10,000 to anyone who can also make this happen on (a non-open platform such as) Windows Phone or iOS.'

Not exactly sure what the problem is? Did they bypass the camera permission requirement?
I've been using a dashcam app for years that records in the background with no preview. It also doesn't lock the audio stream when recording, which allows music playback while recording. To me, this so called "loophole" is a feature not a problem. Don't like it? Don't install apps that require camera permission unless they are legitimate applications...

zivan56 said,
Not exactly sure what the problem is? Did they bypass the camera permission requirement?
I've been using a dashcam app for years that records in the background with no preview. It also doesn't lock the audio stream when recording, which allows music playback while recording. To me, this so called "loophole" is a feature not a problem. Don't like it? Don't install apps that require camera permission unless they are legitimate applications...
Just some researcher that is a bit of slow and finally found out about that. :/

The camera permission is still required...

Probably next to impossible to prevent unless they modify the API to prevent camera previews below n*n pixels. Or they could prevent any camera access while device is sleeping but maybe there are legit apps which do this?

tanjiajun_34 said,
Nah. On Neowin, Windows Phone is always the best :)

It is the best. You can blame marketing , late entry in the market and Microsoft crazy policies for its lack of success but still it doesn't alter the fact that it is most secure and reliable mobile operating system. Go check out data.

trojan_market said,
It is the best. You can blame marketing , late entry in the market and Microsoft crazy policies for its lack of success but still it doesn't alter the fact that it is most secure and reliable mobile operating system. Go check out data.
If by 'best' you mean 'not the best', then sure. WP has a fraction of the software support, is poorly regarded by consumers, is behind the curve when it comes to hardware and lacks the flexibility of Android. It isn't by accident that Android has 80% of the world's smartphone market share.

WP has 3% market share. Only on Neowin do people pretend it is relevant.

theyarecomingforyou said,
It isn't by accident that Android has 80% of the world's smartphone market share.

had nothing to do with price either with most handsets being <$100 :)

rippleman said,
had nothing to do with price either with most handsets being <$100 :)
And what's the best selling WP? The Lumia 520. Further, Samsung sells more of its flagship phones than WP does an entire platform.

theyarecomingforyou said,
If by 'best' you mean 'not the best', then sure. WP has a fraction of the software support, is poorly regarded by consumers, is behind the curve when it comes to hardware and lacks the flexibility of Android. It isn't by accident that Android has 80% of the world's smartphone market share.

WP has 3% market share. Only on Neowin do people pretend it is relevant.

You forgot "looks like crap" :p

theyarecomingforyou said,
And what's the best selling WP? The Lumia 520. Further, Samsung sells more of its flagship phones than WP does an entire platform.
1 model vs hundreds of devices... a $129 520 seems like a fortune to some places in the world, but a $20-$30 android sells like hotcakes in india, china and africa.

rippleman said,
1 model vs hundreds of devices... a $129 520 seems like a fortune to some places in the world, but a $20-$30 android sells like hotcakes in india, china and africa.
WP can't compete in terms of flagships or budget phones and is barely competitive in the mid-range. There isn't much that WP does do right.

theyarecomingforyou said,
[...] is behind the curve when it comes to hardware and lacks the flexibility of Android. [...]

[...] WP has 3% market share. Only on Neowin do people pretend it is relevant.

Perhaps you don't know that Windows Phone is not the resource wh*re that Android is, also, it lacks the flexibility of Android, because it's not Android, here you're blaming the pear tree for not giving you apples.

And we don't have to pretend it's relevant, comments like yours that say it's not relevant do nothing but prove that by commenting on it means it's relevant to you as well.

Kaching.

theyarecomingforyou said,
WP can't compete in terms of flagships or budget phones and is barely competitive in the mid-range. There isn't much that WP does do right.


What exactly does ANY of the flagship android phones do better than my Lumia 1020?

Sure you can find some stuff that looks better on paper, but real stuff, what does it actually do better. Cause having used and owned them, I know the answer, nothing.

HawkMan said,


What exactly does ANY of the flagship android phones do better than my Lumia 1020?

Sure you can find some stuff that looks better on paper, but real stuff, what does it actually do better. Cause having used and owned them, I know the answer, nothing.

Do you have choice of theme, browser, music app, and so on?

HawkMan said,
What exactly does ANY of the flagship android phones do better than my Lumia 1020?
Run the large number of apps that aren't available on WP; allow the user to completely customise the UI; support third-party app stores, like that of Amazon; run multiple apps at the same time (splitscreen), etc. Then there's the hardware advantage, as the top end Android phones have higher DPI displays, more RAM, curved displays, fingerprint scanners, faster processors, etc.

It's not that WP is bad, it's just that it's not better than Android - it's behind the curve. The only area where WP has done well is with cameras, specifically with the Lumia range and its Pureview functionality. However, that hasn't been enough to win over consumers.

theyarecomingforyou said,
Run the large number of apps that aren't available on WP; allow the user to completely customise the UI; support third-party app stores, like that of Amazon; run multiple apps at the same time (splitscreen), etc. Then there's the hardware advantage, as the top end Android phones have higher DPI displays, more RAM, curved displays, fingerprint scanners, faster processors, etc.

It's not that WP is bad, it's just that it's not better than Android - it's behind the curve. The only area where WP has done well is with cameras, specifically with the Lumia range and its Pureview functionality. However, that hasn't been enough to win over consumers.

to some (not me, I dislike WP alot) a lot of the things you say aren't actually valid.

apps... if WP has all the apps you use, who cares if it doesn't have the ones you don't use?
customize... most people aren't worried about it, typically if the UI is already good, then leave it be.
multiple apps... on a phone? most ask the question... WHY??

Hardware advantages? myths. I have used almost all the majority of phones, and all SPECS are NOT created equally.

1) You have more speed? means nothing if its not actually faster.
2) You have more ram? means nothing if you OS doesn't use it well.
3) You have more DPI? means nothing if have a display that sucks.
4) You have full HD display? means nothing unless you have the eyes of superman.
5) You have more megapixals? means nothing if you everything else sucks.

typically its kids and the uniformed who put the most weight into specs.

Point that I am trying to make is even though android gives you more user control then the other OS's, doesn't make it better by default. But it does make control freaks feel more like "the phone allows me to make it JUST the way I want it" and to some, that's important. But to most... we simply don't care.

rippleman said,

to some (not me, I dislike WP alot) a lot of the things you say aren't actually valid.

apps... if WP has all the apps you use, who cares if it doesn't have the ones you don't use?
customize... most people aren't worried about it, typically if the UI is already good, then leave it be.
multiple apps... on a phone? most ask the question... WHY??

Hardware advantages? myths. I have used almost all the majority of phones, and all SPECS are NOT created equally.

1) You have more speed? means nothing if its not actually faster.
2) You have more ram? means nothing if you OS doesn't use it well.
3) You have more DPI? means nothing if have a display that sucks.
4) You have full HD display? means nothing unless you have the eyes of superman.
5) You have more megapixals? means nothing if you everything else sucks.

typically its kids and the uniformed who put the most weight into specs.

Point that I am trying to make is even though android gives you more user control then the other OS's, doesn't make it better by default. But it does make control freaks feel more like "the phone allows me to make it JUST the way I want it" and to some, that's important. But to most... we simply don't care.


But sadly what you said is just invalid. Everyone can clearly tell the difference in performance of the Note 3 from the s4. The s4 is powered by Snapdragon 600 and Note 3 Snapdragon 800 but the difference is great. The CPU and GPU might not really matters for WP because yes WP is very smooth, but it does matters for people playing games on their device. Also for 1080p I don't believe it is irrelevant or useless. I can clearly tell my Nexus 4 screen is crap beside the Nexus 5. In fact I find Android OEM makes the best screen (Samsung and HTC). About megapixels, go read reviews on the HTC One m8 camera review. Lots of complains due to low megapixels. Megapixels do matter in some ways as well.

About all those customization, I do like how I can change the launcher to change my phone's appearance. I do like my SwiftKey because it owns all other keyboards to me. I do like how I can choose which sms application to use. I can be using Hangouts or I can be using Disa (A custom Whatsapp client with sms function).

tanjiajun_34 said,

But sadly what you said is just invalid. Everyone can clearly tell the difference in performance of the Note 3 from the s4. The s4 is powered by Snapdragon 600 and Note 3 Snapdragon 800 but the difference is great. The CPU and GPU might not really matters for WP because yes WP is very smooth, but it does matters for people playing games on their device. Also for 1080p I don't believe it is irrelevant or useless. I can clearly tell my Nexus 4 screen is crap beside the Nexus 5. In fact I find Android OEM makes the best screen (Samsung and HTC). About megapixels, go read reviews on the HTC One m8 camera review. Lots of complains due to low megapixels. Megapixels do matter in some ways as well.

About all those customization, I do like how I can change the launcher to change my phone's appearance. I do like my SwiftKey because it owns all other keyboards to me. I do like how I can choose which sms application to use. I can be using Hangouts or I can be using Disa (A custom Whatsapp client with sms function).

i have found no difference in speed between the note 3 and the s4. The difference you see between the nexus 4 and nexus 5 is NOT due to resolution. The nexus 5 simply has a better screen. You are right when you say megapixels do matter in some way.. but only a very small way, in fact its the LEAST amount of end factor that determines end quality. Glad you like to customize, but that's you and you don't represent everyone. There is some that care, but most people seriously don't give a damn. Sorry. But thank you for your input.

theyarecomingforyou said,
Run the large number of apps that aren't available on WP; allow the user to completely customise the UI; support third-party app stores, like that of Amazon; run multiple apps at the same time (splitscreen), etc. Then there's the hardware advantage, as the top end Android phones have higher DPI displays, more RAM, curved displays, fingerprint scanners, faster processors, etc.

It's not that WP is bad, it's just that it's not better than Android - it's behind the curve. The only area where WP has done well is with cameras, specifically with the Lumia range and its Pureview functionality. However, that hasn't been enough to win over consumers.

Apps are generally irrelevant, all the apps I need and want and a lot more are available. Some third party apps on WP are better then the official android apps.

Why would I need to customize the UI, theming on android is horribly bugged to start with. For regular users they can customize their WP phone easier with build in functions. Either way it doesn't affect my usage of the phone.

My 1020 has a high dpi display, could be higher but it doesn't matter and WP have 1080 phones as well, any more is just stupid on a phone display.

And curbed displays... Wouldn't want the crap if they gave it away, it's absolutely stupid. Seriously you actually listed that as an advantage... That's also an OEM thing. More ram and faster CPU... Ehh so... That goes right back to what I said, paper performance, yet in usage my 1020 is faster and smoother than an top en android, so why would I want more expensive paper numbers with no real world effect.

Finger print scanners. Yeah they are working so great on those S5's they can't scan, they scan wrong and they're hack more easily than a computer left logged into Facebook at a workplace.

More and more people are buying Lumia and WP phones and in Europe they have a significant market segment.

Either way it doesn't change the fact the claims in your post was full of BS.

rippleman said,

i have found no difference in speed between the note 3 and the s4. The difference you see between the nexus 4 and nexus 5 is NOT due to resolution. The nexus 5 simply has a better screen. You are right when you say megapixels do matter in some way.. but only a very small way, in fact its the LEAST amount of end factor that determines end quality. Glad you like to customize, but that's you and you don't represent everyone. There is some that care, but most people seriously don't give a damn. Sorry. But thank you for your input.

Sorry but I own a S4 and I know it well really well and it still lags at times. But you can flash the Google Edition rom which helps a lot. But still yeah Note 3>S4. Just because you maybe played around the s4 awhile does not tells you much. I flashed my s4 like almost everyday, trying out different kernels, I definitely know it well enough. Snapdragon 600 is just not enough for me.

Yes Nexus 5's colours might improved. But I think resolution plays a big difference too. Nexus 4 screen is just not as sharp. I know some people won't agree with me. I have a friend who cannot even tell the difference of the S. AMOLED screen on the s1 from the one on s3.

HawkMan said,
Apps are generally irrelevant, all the apps I need and want and a lot more are available. Some third party apps on WP are better then the official android apps.
For most people the appeal of a smartphone is the ability to run apps and WP has a much more limited selection.

HawkMan said,
Why would I need to customize the UI, theming on android is horribly bugged to start with. For regular users they can customize their WP phone easier with build in functions. Either way it doesn't affect my usage of the phone.
Customising the UI allows you to setup the phone the way you like. For instance, I run Aviate on my Note 3 and prefer it to the stock Android UI. There's nothing "bugged" about it. WP just doesn't have that flexibility.

HawkMan said,
My 1020 has a high dpi display, could be higher but it doesn't matter and WP have 1080 phones as well, any more is just stupid on a phone display.
The same was said about 1080p displays on phones.

HawkMan said,
And curbed displays... Wouldn't want the crap if they gave it away, it's absolutely stupid. Seriously you actually listed that as an advantage... That's also an OEM thing. More ram and faster CPU... Ehh so... That goes right back to what I said, paper performance, yet in usage my 1020 is faster and smoother than an top en android, so why would I want more expensive paper numbers with no real world effect.
The point is that Android has a much wider range of hardware, which allows users to better find a device to suit their needs.

HawkMan said,
Finger print scanners. Yeah they are working so great on those S5's they can't scan, they scan wrong and they're hack more easily than a computer left logged into Facebook at a workplace.
That's just nonsense.

HawkMan said,
Either way it doesn't change the fact the claims in your post was full of BS.
You asked me what your WP device can't do that Android devices can and I provided you with a substantial list. That you have chosen to ignore everything I posted because it doesn't suit you isn't my problem.

WP just isn't what consumers want.

theyarecomingforyou said,

You asked me what your WP device can't do that Android devices can and I provided you with a substantial list. That you have chosen to ignore everything I posted because it doesn't suit you isn't my problem.

WP just isn't what consumers want.

No, you ignored over half my post and decided to point out a laundry list of paper specs. Most of wich are irrelevant, have no real world effect or are patently bugged and broken like the S5 finger print sensor. But hey let's pretend it works just fine despite all the reports and emergency patches to it huh....

And the same was said about 1080 screens because it's true.

720 is more than enough for all phones(unless it's a Samsung with one third less sub pixels). 1080 only makes some sense on phablets, which I find a stupid trend anyway. Have you seen people talking in a galaxy mega or note without a headset. It's ridiculous and you can't fit them in your pocket either.

Either way higher than1080 makes no sense even for phablets.

HawkMan said,
And the same was said about 1080 screens because it's true.

720 is more than enough for all phones(unless it's a Samsung with one third less sub pixels). 1080 only makes some sense on phablets, which I find a stupid trend anyway.

And phones don't need 41MP cameras either, yet still you bought one.

HawkMan said,

No, you ignored over half my post and decided to point out a laundry list of paper specs. Most of wich are irrelevant, have no real world effect or are patently bugged and broken like the S5 finger print sensor. But hey let's pretend it works just fine despite all the reports and emergency patches to it huh....

How is that any different than say, the 5S fingerprint reader? Do we really need a 41MP shooter in a phone? What you call irrelevant sells phones...

theyarecomingforyou said,
If by 'best' you mean 'not the best', then sure. WP has a fraction of the software support, is poorly regarded by consumers, is behind the curve when it comes to hardware and lacks the flexibility of Android. It isn't by accident that Android has 80% of the world's smartphone market share.

WP has 3% market share. Only on Neowin do people pretend it is relevant.


do you understand the difference between market share and OS security architecture? this article is about security flaw not market share.

trojan_market said,
do you understand the difference between market share and OS security architecture? this article is about security flaw not market share.
Android is an open platform and has 80% market share, making it the most targeted platform. WP is a closed platform and has 3% market share, making it the least targeted platform. More importantly, security is irrelevant if the phones don't do what the users want.

theyarecomingforyou said,
Android is an open platform and has 80% market share, making it the most targeted platform. WP is a closed platform and has 3% market share, making it the least targeted platform. More importantly, security is irrelevant if the phones don't do what the users want.

at least one of your points make sense, but the other one doesn't. yes security attack intensity can be related to number of user; however iOS devices also has high market share yet both the number of critical flaws and the user data protection is far better architected compared to android. your other point that phone doesn't do what you want is complete non-sense. as for me I use my phone (Lumia 1520) for daily tasks, texting, navigation, emails, playing games, facebook, twitter and basically most of the things other people use and it handles it all pretty well and battery life is fantastic. I litterally charge it every other night with intense use. if there is a missing app, I use mobile site for it that does the job. see your statement is relative and only apply to yourself not to everybody