⬆️ ⬇️

ADB vs Spy Cam & Mic

How to check if any application on Android- smartphone leads photo or video reportage, although it never comes to anything? The following option is not perfect, but does not require a "root" or custom firmware.



PS I added a description of the application access monitoring to the microphone to the article.



What you need to install:



We turn on the debugging mode via USB on the phone and connect the smartphone to the USB port of the computer, and select the USB connection mode other than “Charging Only”.

Hidden text
In the "Device Manager" smartphone is displayed, for example, as follows:

in the "Photo" or "Files"



in “USB disk” mode



And this is the output of the lsusb command:





Open the command line in the directory in which the "tools" are installed.

Check that the connection is successful (the serial number of the connected smartphone is displayed):

adb devices 
(for Windows )



For Linux, the team would look like this:

 ./adb devices 


If the computer is not authorized for use with this smartphone (for Android 4.2.2 and later), then the warning message " unauthorized " will appear next to the serial number.

For authorization, you must confirm the debugging permission via USB on your smartphone.

Hidden text
Under Linux , the message " no permissions " may appear - in my case I managed to solve the problem by switching the smartphone to the "Media Device ( MTP )" mode.



Run the shell on the device (we get the "$" prompt):

 adb shell 




')

Then enter the following "magic" characters:

 while true; do ps `while ! (dumpsys media.camera | grep -E "PID") do done | grep -o "[^PID: ][0-9]*$"` | grep -o "[^S ]*$" ; date; sleep 1; done 






Improved version that removes the output "NAME" and empty lines:

 while true; do ps `while ! (dumpsys media.camera | grep -E "PID") do done | grep -o "[^PID: ][0-9]*$"` | grep -o "[^S ]*$" | grep -v "NAME" | grep .; date; sleep 1; done 




And nothing happens :-) Until something decides to shoot a little :-)



This “magic” character set starts monitoring the access to the camera service media.camera as fast as possible (this service is implemented by the library libcameraservice.so ). If the camera is not active, dumpsys issues something like this:



And if the camera is needed, then this appears:





grep checks for the presence of a " PID " and, if this chain is present, then cut out the process number from the line and feed it to the ps command, which displays data about this process, and another grep cuts its name. After detecting the activity of the camera, we pause for a second so that the messages do not fall out too often. To interrupt the command, use the CTRL-C key combination, and to exit the shell - CTRL-D .



The simplest example is that after launching a full-time smartphone / photo / video application, messages with the process name and date / time begin to spill at 1 second intervals:



"



But there are more tricky applications, they can be found by the keyword "spy cam" (using a trick, for example, with a single-pixel preview ( http://www.ez.ai/2014/05/exploring-limits-of-covert-data .html )). A similar creation at the start of shooting collapses and reports, but the messages flow regularly:







I also checked the performance of the proposed method on an application that takes a single shot when I press the floating button. without any visible preview window.

The script successfully caught the call to the camera and issued two messages with each shot:





But after all, nothing prevents to implement similar functionality in the application with a more harmless name ( https://www.zdnet.com/article/this-scary-android-malware-can-record-audio-video-and-steal-your- data / ), and permissions - well, there are all sorts of cases. Yes, and the "legal" application can keep a report when it pleases (I met the mention of one such case). And for good reason in Android P took measures to prevent access to the camera background applications.



The method has been tested on Huawei SCL-L01 smartphones ( Android 5.1.1) and Huawei G700-U20 ( Android 4.2.1), on other smart phone models the output format of the dumpsys may differ (for media.camera service it is not standardized), which will require code correction .

The message format is hard-wired in the /system/lib/libcameraservice.so library — for example, for the Huawei SCL-L01 smartphone:



In the comment - a hint how to change the code to work with a smartphone for Android 9.

This comment provides a log of calls to the camera, which is the HTC U11 .

But, for example, on the “ancient” Huawei U8650 ( Android 2.3.4), dumpsys works fine:



And the rights are not enough for ... grep :-)





Microphone Access Monitoring



A similar method can be applied to monitor the access of applications to the microphone. In this case, you need to monitor the media.audio_flinger service.

Enter the command in the shell (the code above works for the Huawei SCL-L01 smartphone ( Android 5.1.1)):

 while true; do ps `while ! (dumpsys media.audio_flinger | grep -A20 Input| grep -A1 Client | grep yes | grep -o "[^yes ].*" | grep -o [0-9]*) do done` | grep -o "[^S ]*$" | grep -v "NAME" | grep .; date; sleep 1; done 


If some application records sound through a microphone, then a similar fragment is present in the output of dumpsys media.audio_flinger :



( Input thread - input stream, 22467 - PID of the sound recording process).

When recording audio through the standard Dictaphone application and monitoring turned on (using the above code), the following messages appear:



And here are the messages that are poured out when Google’s translator’s voice input is activated:



On other smartphone models, the output format of the dumpsys may be different, which will require code correction.

For example, on the smartphone Huawei G700-U20 ( Android 4.2.1):



In this case, the code for monitoring will be:

 while true; do ps `while ! (dumpsys media.audio_flinger | grep -A3 Input| grep -A1 Clien | grep -o "[^ ].*" | grep -o [0-9]*) do done` | grep -o "[^S ]*$" | grep -v "NAME" | grep .; date; sleep 1; done 


Here is how Alice “revived” in this case:

Source: https://habr.com/ru/post/435098/



All Articles