If you currently have the Android version of Skype on your phone, it looks like there is a flaw in the software that makes it easy to eavesdrop on anyone with the client. As it stands right now, it looks like the flaw is only in the Android version of the software, but considering Android has a massive user base, this issue likely affects a large population of users.
Here's how it works, the flaw exists in the Android version of Skype and what happens is, you can force that client to call you back which activates the camera and microphone of the target. To exploit the flaw, you need two Skype devices and follow the steps below:
- Have 2 devices signed into your Skype account. Desktop and phone will do.
- Call the target's Android Skype account with device 1.
- Disconnect device 1 from the Internet as the target phone is ringing.
- Target phone will immediately call you back.
- Pick up with device 2.
The reason we believe that the phone calls you back is likely related to Skype trying to re-connect a dropped call. But, because a call was never completed in the first place, this means that you can turn on a remote user's microphone and camera using this method.
Several users on Reddit were able to recreate the bug and its important to point out that if you use a phone to start the process, you need to use Airplane mode as in some cases Skype will switch to LTE and complete the call. It is said that it does not work every time but the fact that multiple users can replicate the issue proves that this is not a one-off fluke.
According to user 'Ponkers' on Reddit, he contacted Microsoft and they are apparently aware of the issue and are working on a fix at this time. We have reached out to Microsoft and will update this post when we hear back; considering this is Christmas eve, response time may be slower than usual.
Source: Reddit | Thanks for the tip Greg!