Can a smartphone really be harmful if it is powered off? I recently read about a smartphone app that could take...
pictures and videos -- all while powered off. What can prevent this from happening?
There are plenty of mobile apps that can surreptitiously activate a phone's camera and microphone when the phone is turned on, but a smartphone cannot function if it is completely powered off. However, it's important to note that it's getting harder to tell when a modern phone is powered down and truly off nowadays. Often the main operating system can appear to be shut down even if some elements of the processor are still running in the background.
For example, proof-of-concept spyware for Google Glass can take and upload a photo every 10 seconds when the display is off without giving the user any indication that it's doing so.
In the scenario you reference, researcher Szymon Sidor demoed how an Android app can take photos and videos even while the phone's screen is turned off. While the Android operating system won't allow the camera to record without a viewfinder preview being displayed on screen, Sidor side-stepped this requirement by making the preview so small -- just one pixel by one pixel -- that it is effectively invisible (especially since modern screens have over 400 pixels per inch). This one pixel preview does make it possible for an app to take photos when the phone's display is thought to be turned off by the user -- a loophole Google needs to fix.
To avoid this type of malicious app, only download apps from legitimate app stores and avoid apps that request permissions they don't need. For example, a calculator that needs network access, or an alarm clock that wants access to contact information should be treated with extreme caution. A smartphone is a powerful computing device and should be protected accordingly, so be sure to use an antimalware program that includes malware prevention, remote data wipe and privacy reviews of apps.
The good news is that powering down your phone completely will stop malicious apps from functioning, and those apps cannot covertly switch the device back on. However, what is technically possible is malicious code that prevents the on-off controls from operating correctly and merely places the handset into hibernation, switching the screen off in the process so the user believes the device has been powered down. While malware capable of putting a smartphone into hibernation for long periods has not yet been seen in the wild, the threat posed by hibernating malware should not be underestimated. As of right now, there is nothing to stop intelligence services or cybercriminals from working out how to intercept the on-off commands and place the smartphone into a covert hibernation mode.
Enterprises must remember that a powered-down smartphone can still be a security risk if it's stolen and no password lock has been set up. A thief could easily access all the data on a phone, which is another reason to encrypt data stored on a phone and set up remote wipe functionality.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ...continue reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ...continue reading
App trackers were found in hundreds of Google Play apps. Expert Michael Cobb explains the threat they pose and how GDPR has the potential to reduce ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.