DOC RABE Media - Fotolia
Can a smartphone really be harmful if it is powered off? I recently read about a smartphone app that could take pictures and videos -- all while powered off. What can prevent this from happening?
There are plenty of mobile apps that can surreptitiously activate a phone's camera and microphone when the phone is turned on, but a smartphone cannot function if it is completely powered off. However, it's important to note that it's getting harder to tell when a modern phone is powered down and truly off nowadays. Often the main operating system can appear to be shut down even if some elements of the processor are still running in the background.
For example, proof-of-concept spyware for Google Glass can take and upload a photo every 10 seconds when the display is off without giving the user any indication that it's doing so.
In the scenario you reference, researcher Szymon Sidor demoed how an Android app can take photos and videos even while the phone's screen is turned off. While the Android operating system won't allow the camera to record without a viewfinder preview being displayed on screen, Sidor side-stepped this requirement by making the preview so small -- just one pixel by one pixel -- that it is effectively invisible (especially since modern screens have over 400 pixels per inch). This one pixel preview does make it possible for an app to take photos when the phone's display is thought to be turned off by the user -- a loophole Google needs to fix.
To avoid this type of malicious app, only download apps from legitimate app stores and avoid apps that request permissions they don't need. For example, a calculator that needs network access, or an alarm clock that wants access to contact information should be treated with extreme caution. A smartphone is a powerful computing device and should be protected accordingly, so be sure to use an antimalware program that includes malware prevention, remote data wipe and privacy reviews of apps.
The good news is that powering down your phone completely will stop malicious apps from functioning, and those apps cannot covertly switch the device back on. However, what is technically possible is malicious code that prevents the on-off controls from operating correctly and merely places the handset into hibernation, switching the screen off in the process so the user believes the device has been powered down. While malware capable of putting a smartphone into hibernation for long periods has not yet been seen in the wild, the threat posed by hibernating malware should not be underestimated. As of right now, there is nothing to stop intelligence services or cybercriminals from working out how to intercept the on-off commands and place the smartphone into a covert hibernation mode.
Enterprises must remember that a powered-down smartphone can still be a security risk if it's stolen and no password lock has been set up. A thief could easily access all the data on a phone, which is another reason to encrypt data stored on a phone and set up remote wipe functionality.
Ask the Expert!
Want to ask Michael Cobb a question about application security? Submit your questions now via email! (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Michael Cobb
Apple's Quick Look feature previews thumbnails that are not encrypted. Learn how this poses a security threat to enterprises from expert Michael Cobb. Continue Reading
Hackers can imitate the design and domain name of popular sites like Netflix to steal credentials. Expert Michael Cobb explains how these Netflix ... Continue Reading
Hackers use legitimate admin tools to exfiltrate data in living off the land attacks that are hard to detect. Learn about this cyberattack tactic ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.