It’s a familiar story, unfortunately, but once again we’re here to warn Android users that their smartphones and tablets could theoretically be recording video and taking pictures without them knowing, with the output then being uploaded to a remote server without any indication whatsoever.
The somewhat worrying development comes after former Googler and software engineer Szymon Sidor took to his personal blog to expose what appears to be a loophole that allows malicious apps to take control of a Android device’s camera and then transmit its output without having to display an on-screen preview such as the one that Android supposedly demands from the apps that run on it. The preview was always seen as a way to make sure that everyone knew when their device was shooting pictures or recording video, but with Sidor’s loophole, that’s proven to not be the case.
After deciding to see if such a thing was possible, Sidor set about creating his own app to test the water. What he discovered is both worrying and brilliant in equal measure. While Android does require that an on-screen preview be displayed, it doesn’t care how large it is. Armed with that knowledge, he then made his app display a preview inside just one pixel. With today’s phones and tablets having millions of pixels, spotting one pixel is almost impossible, meaning nobody will ever notice the preview lighting it up. For all intents and purposes, it’s invisible.
While Sidor is the first person to speak publicly about the security flaw, there’s no way of knowing whether he’s the first to discover it or not. We doubt that there are thousands of apps taking advantage of this particular loophole, but then again, you only need to have installed one for it to be distressing. Hopefully nobody has!
Here’s the video demo:
Google will no doubt want to implement a fix that makes Android force previews to be a high percentage of the screen resolution in order to fix this issue, but then those with devices that don’t have the Nexus logo on will need to wait for that update to reach them. As we all know, that’s not always a quick process.
How to protect yourself?
Sidor has shared some tips on how to best protect your Android device right now until Google comes up with a proper fix for this loophole:
- Pay attention to apps that require permission to use Camera.
- Keep your Google account secure to avoid remote app installation. Use two-step verification on your account.
- Remove all the apps you don’t use regularly.
- Check for any suspicious apps that are using more battery and data bandwidth. Remove them if possible.
- Check for any suspicious apps making use of Background Services (Settings->Apps->Running) and remove them if possible.
You may also like to check out: