Android Security Flaw Allow Control of your Smartphone Camera
According to researcher Syzmon Sidor, your smartphone camera can spy
on you without so much as a notification to tip you off. The spy app,
which doesn’t even show up in the phone’s list of installed
applications, can then send photos over the Internet to anyone on the
planet.
This is the first reported instance of a hacker being able to secretly hijack Android cameras.
For years, cameras have been seen as security threats on Windows and
Mac computers. They can be hijacked by hackers of all stripes to turn on
without any indication and record what happens right in front of them.
Sidor decided to focus on Android, the most popular mobile operating
system on the planet, to see if he could surreptitiously take pictures
or record video at any time with a malicious spy app that the phone’s
owner doesn’t know about. The answer quickly turned out to be “yes.”
According to the operating system’s rules, using an Android’s camera
requires that a preview of the picture is displayed on the screen so
that the phone’s owner knows without a doubt that the camera is on. In
an attempt to circumvent those rules and operate the camera secretly,
Sidor first tried to make the preview invisible but failed to fool the
operating system. Making the preview transparent or covering it up with
other applications were also ignored by Android.
But eventually he found a solution. The programmer made the camera
preview the size of a single pixel, so small that no human being could
possibly see it even if they know where to look. It is, however, big
enough that Android is tricked into believing a legitimate preview is
running and that the phone’s owner is aware that the camera is in use.
This approach allows the camera to operate without anyone else knowing,
perfect for spying.
All of sudden, Sidor had found a way to secretly operate a smartphone
camera. He recorded a demo on a Nexus 5 phone and uploaded the results
to YouTube.
He said the hack was “amazing and scary at the same time” and called the loophole “inexcusable.”
No comments:
Post a Comment