DOC RABE Media - Fotolia

Manage Learn to apply best practices and optimize your operations.

Are malicious mobile apps a threat to powered-down smartphones?

A security researcher recently demonstrated how a smartphone was still susceptible to malicious threats even with the display turned off. Expert Michael Cobb discusses the new malware threats to smartphones.

Can a smartphone really be harmful if it is powered off? I recently read about a smartphone app that could take pictures and videos -- all while powered off. What can prevent this from happening?

There are plenty of mobile apps that can surreptitiously activate a phone's camera and microphone when the phone is turned on, but a smartphone cannot function if it is completely powered off. However, it's important to note that it's getting harder to tell when a modern phone is powered down and truly off nowadays. Often the main operating system can appear to be shut down even if some elements of the processor are still running in the background.

For example, proof-of-concept spyware for Google Glass can take and upload a photo every 10 seconds when the display is off without giving the user any indication that it's doing so.

In the scenario you reference, researcher Szymon Sidor demoed how an Android app can take photos and videos even while the phone's screen is turned off. While the Android operating system won't allow the camera to record without a viewfinder preview being displayed on screen, Sidor side-stepped this requirement by making the preview so small -- just one pixel by one pixel -- that it is effectively invisible (especially since modern screens have over 400 pixels per inch). This one pixel preview does make it possible for an app to take photos when the phone's display is thought to be turned off by the user -- a loophole Google needs to fix.

To avoid this type of malicious app, only download apps from legitimate app stores and avoid apps that request permissions they don't need. For example, a calculator that needs network access, or an alarm clock that wants access to contact information should be treated with extreme caution. A smartphone is a powerful computing device and should be protected accordingly, so be sure to use an antimalware program that includes malware prevention, remote data wipe and privacy reviews of apps.

The good news is that powering down your phone completely will stop malicious apps from functioning, and those apps cannot covertly switch the device back on. However, what is technically possible is malicious code that prevents the on-off controls from operating correctly and merely places the handset into hibernation, switching the screen off in the process so the user believes the device has been powered down. While malware capable of putting a smartphone into hibernation for long periods has not yet been seen in the wild, the threat posed by hibernating malware should not be underestimated. As of right now, there is nothing to stop intelligence services or cybercriminals from working out how to intercept the on-off commands and place the smartphone into a covert hibernation mode.

Enterprises must remember that a powered-down smartphone can still be a security risk if it's stolen and no password lock has been set up. A thief could easily access all the data on a phone, which is another reason to encrypt data stored on a phone and set up remote wipe functionality.

Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)

Next Steps

Learn more about mobile application management and mobile device management.

This was last published in November 2014

Dig Deeper on Mobile security threats and prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.