Openness often brings about security risks. Several days ago, Szymon Sidor has published a blog that proved it possible to take a photo or video on Android without displaying any notifications. A malware can send the photos over the internet to the C&C server and spy on the victim. This is shown in the Proof-of-Concept below:
Taking photos without giving the preview UI is not recommended by Android, but it’s doable. It seems like a feature rather than a bug. Actually, lots of existing Android apps have already implemented this feature – take the “Find my Phone” app as an example. It can take photos using the front camera without giving any notifications, intended to snap the thief’s face once your phone is stolen.
According to our test, there are at least 3 ways of hiding the preview UI:
- Set the preview UI size small enough (e.g. 1×1 pixel)
- Set the preview UI margin large enough that it exceeds the visible screen area
- Create the preview UI by using new() and not setting its position/size
We also made a Proof-of-Concept app, which could turn your phone into a spy camera, to demonstrate how easy it is to turn a feature into a malware.
Although not every backend snapping is malicious, it’s suspicious behavior. Trustlook Platform will log all the backend camera activities:
The PoC code can be found at: https://github.com/hex1337/spycamera.