A security researcher has found that by creating an app that exploits a simple loophole in Android, he could get a device to take photos with its camera and upload them to a remote server without user permissions.
Former Google employee, Szymon Sidor has found a loophole in Android that allows malicious apps to take control of your smartphone cameras and upload the images to an unknown server without you knowing it.
Sidor, who now works as a security researcher stated on his Snacks For Your Mind blog, that he had observed numerous apps on Google Play that were capable of taking photos secretly. Google requires an on-screen preview for apps to take photos, but Google does not have a minimum size requirement for the preview. Since your phone has millions of pixels, you will never spot the one that is showing the preview as it can be as small as 1 pixel. Google can close this by mandating that on-screen previews cover a certain percentage of the screen. The app was also able to capture other details from the device, such as battery level and even the user's current location.
Sidor recreated the loophole in a video which you can check out below. He ends his post with a simple request to Android’s security team: “Please put more effort into ensuring users’ privacy.”