A researcher has demonstrated that it’s possible for malicious attackers to create an Android app that will surreptitiously take pictures and upload them to a remote server without the user being aware of or noticing it.
“There are many apps on Play Store that aim at taking pictures without any visual indication (ACLU-NJ Police Tape, Mobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on,” security researcher Szymon Sidor explained in a blog post. “Some of them manage to record video without visible preview.”
But he managed to create an app that does so without displaying any notification, without the presence of the app being visible (i.e. on the list of installed applications), and even without the screen being on.
The good news is that users can protect themselves from this type of spying by being extra careful when reviewing apps they want to install, and the permissions they ask.
Keeping a close eye on your Google Account, and setting up two-step verification is also a good idea, because an attacker that manages to hijack the account can install apps on your phone remotely, without your approval.
Check out Sidor’s blog post for more technical details on how he managed to do this, but you won’t find the code he used to do it.
He commented that he had reported the issue to Google, but says they are probably already aware of it, as there are other people who have discovered the problem before him.