SCF Advanced Search



Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43467
  • Total Topics: 16558
  • Online today: 2834
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2087
Total: 2088









Author Topic: Android: apps can take photos with your phone without you knowing.  (Read 11329 times)

0 Members and 1 Guest are viewing this topic.

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Dutch SOURCE: https://tweakers.net/nieuws/96213/student-ontdekt-manier-om-android-smartphones-onopgemerkt-fotos-te-laten-maken.html?nb=2014-05-24&u=0900

Found not many English news articles, but... This is one :) http://bgr.com/2014/05/23/android-malware-secret-photo-video-recording/

Leads to Exploit Details: http://snacksforyourmind.blogspot.nl/2014/05/exploring-limits-of-covert-data.html

Partial Quote - follow the link for full article & YouTube videos

Quote
THURSDAY, MAY 22, 2014

Exploring limits of covert data collection on Android: apps can take photos with your phone without you knowing.
SHORT VERSION: Android apps can take photos with your phone in background phones without displaying any notification and you won't see the app on the list of installed applications. App can send the photos over the internet to their private server. You can also find video with demo in this post.

Introduction

http://all-free-download.com/free-vector/vector-clip-art/surveillance_camera_clip_art_18240.html (camera)

I discovered this almost by accident while doing a team project for a Computer and Network Security course at my university. The project suggested by college of mine (Predrag Gruevski) was mostly about using cameras on PC's without turning on indicator light. There were already promising findings in this field (iSeeYou paper discussed doing so on old Mac models). Since the project was relatively general each of member of our team took different approach. I initially started with low-level USB hacking, but despite genuine efforts I found nothing really interesting. Further experiments seemed really boring to me, because they in general involved trying various different cameras and hours of starting at LED light hoping the camera light won't blink.

android


I switched my focus to Android. Initial research was promising. There are many apps on Play Store (if you are iPhone user think App Store) that aim at taking pictures without any visual indication (ACLU-NJ Police Tape, Mobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on. Some of them manage to record video without visible preview.


Technical Details

What I wanted is to take pictures without user knowing, but at any time, not only when the app is on. I started googling and first thing that I found is that using Camera technically requires a preview to be displayed on screen in order to take video, but background services do not have associated visible activity. But let's not get discouraged an keep trying. I wrote a small camera app for my Nexus 5. My first approach was to create a View object that is not attached to any activity and feed preview to that object. That fails (I literally get "take picture failed" exception). The I remembered something that later turned out to be very relevant. Facebook messages draws to the UI, even when the app is not technically running:



This turned out to be indeed the right track. I attached preview to the screen from the background service and indeed I was able to take a photo! This is not yet ideal - the preview is visible on the screen user can clearly see that something is going on. But then I tried to remove it. Here's a list of approaches:

Make preview invisible - failed: Android just ignores this setting for preview
Make preview transparent - failed: Android just ignores this settings for preview
Cover preview by another view - partially failed: the view on top is still obstructing the screen
Make preview 1x1 pixel - successful
The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there.
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info


neerajrawat1

  • SCF VIP Member
  • *****
  • Posts: 234
  • KARMA: 36
  • Gender: Male
  • We believe in sharing is caring
    • Experts Galaxy
Simple try Kaspersky's service of locating your lost phone. When I was just testing the service last year then found that using the browser in the PC, we can click pics of a stolen phone and then I realized as it can click pics without any noise then same way any malicious application can also do it.

devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
True, but you give those apps explicit permissions... This is really a nasty bug: abusing a little pixel like that!

:)

Simple try Kaspersky's service of locating your lost phone. When I was just testing the service last year then found that using the browser in the PC, we can click pics of a stolen phone and then I realized as it can click pics without any noise then same way any malicious application can also do it.
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

neerajrawat1

  • SCF VIP Member
  • *****
  • Posts: 234
  • KARMA: 36
  • Gender: Male
  • We believe in sharing is caring
    • Experts Galaxy
I don't remember if it asks for a camera permission though it asks for admin rights and hence can access anything. Though it was just to share that it can click images without the camera sound and hence I thought that malicious codes would be there all around taking images from PCs and mobiles and also increasing the porn stuff all around.

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023