According to researcher Syzmon Sidor, your smartphone camera can spy on you without so much as a notification to tip you off. The spy app, which doesn’t even show up in the phone’s list of installed applications, can then send photos over the Internet to anyone on the planet.
This is the first reported instance of a hacker being able to secretly hijack Android cameras.
For years, cameras have been seen as security threats on Windows and Mac computers. They can be hijacked by hackers of all stripes to turn on without any indication and record what happens right in front of them.
Sidor decided to focus on Android, the most popular mobile operating system on the planet, to see if he could surreptitiously take pictures or record video at any time with a malicious spy app that the phone’s owner doesn’t know about. The answer quickly turned out to be “yes.”
According to the operating system’s rules, using an Android’s camera requires that a preview of the picture is displayed on the screen so that the phone’s owner knows without a doubt that the camera is on. In an attempt to circumvent those rules and operate the camera secretly, Sidor first tried to make the preview invisible but failed to fool the operating system. Making the preview transparent or covering it up with other applications were also ignored by Android.
But eventually he found a solution. The programmer made the camera preview the size of a single pixel, so small that no human being could possibly see it even if they know where to look. It is, however, big enough that Android is tricked into believing a legitimate preview is running and that the phone’s owner is aware that the camera is in use. This approach allows the camera to operate without anyone else knowing, perfect for spying.
All of sudden, Sidor had found a way to secretly operate a smartphone camera. He recorded a demo on a Nexus 5 phone and uploaded the results to YouTube.
He said the hack was “amazing and scary at the same time” and called the loophole “inexcusable.”