Taking Photos Without Notifications: Bug or Feature?

Openness often brings about security risks. Several days ago, Szymon Sidor has published a blog that proved it possible to take a photo or video on Android without displaying any notifications. A malware can send the photos over the internet to the C&C server and spy on the victim. This is shown in the Proof-of-Concept below:

Taking photos without giving the preview UI is not recommended by Android, but it’s doable. It seems like a feature rather than a bug. Actually, lots of existing Android apps have already implemented this feature – take the “Find my Phone” app as an example. It can take photos using the front camera without giving any notifications, intended to snap the thief’s face once your phone is stolen.

According to our test, there are at least 3 ways of hiding the preview UI:

  • Set the preview UI size small enough (e.g. 1×1 pixel)
  • Set the preview UI margin large enough that it exceeds the visible screen area
  • Create the preview UI by using new() and not setting its position/size

We also made a Proof-of-Concept app, which could turn your phone into a spy camera, to demonstrate how easy it is to turn a feature into a malware.

Although not every backend snapping is malicious, it’s suspicious behavior. Trustlook Platform will log all the backend camera activities:

Screen Shot 2014-05-29 at 8.32.06 PM

Screen Shot 2014-05-29 at 8.34.15 PM

The PoC code can be found at: https://github.com/hex1337/spycamera.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s