Chinese Mobile Phone Cameras Are Not-So-Secretly Recording Users' Activities

Oiwan Lam, reporting for Global Voices: It has been widely reported that software and web applications made in China are often built with a "backdoor" feature, allowing the manufacturer or the government to monitor and collect data from the user's device. But how exactly does the backdoor feature work? Recent discussion among mobile phone users in mainland China has shed some light on the question.

Last month, users of Vivo NEX, a Chinese Android phone, found that when they opened certain applications on the phone, including Chinese internet giant QQ browser and travel booking app Ctrip, the mobile device's camera would self-activate. [...] One Weibo user observed that the retractable camera self-activates whenever he opens a new chat on Telegram, a messaging application designed for secured and encrypted communication.

[...] After the news of the self-activated camera bug spread, users started testing the issue on other applications and found that Baidu's voice input application has access to both the camera and voice recording function, which can be launched without users' authorization. A Vivo NEX user found that once she had installed Baidu's voice input system, it would activate the phone's camera and sound recording function whenever the user opened any application -- including chat apps, browsers -- that allows the user to input text.

Re:Would the same be possible with Apple iOS?

[carlhaagen]

While the level of scrutiny and inspection procedures performed by Apple before publishing an iOS application is on a completely different level than that of Google and their Play Store, it's technically possible. But the case with these Chinese Android phones isn't really about this or that rogue app possibly showing up on the Play Store, but rather that they all come with a customized Android build prepared from start with a selection of malware/spyware. It's a complete ready-to-go, ready-to-spy package.

Re:Would the same be possible with Apple iOS?

[Solandri]

Both iOS and Android already give the device owner control over what functions an app is able to access. For example, Android notified me that an update to one of the games on my tablet was asking for access to the microphone and camera. I of course denied those permissions (the game seems to run just fine without them). Since my tablet is rooted, I also get control over which apps are allowed to use the network. So even with the few programs which need such access (like a photo-to-PDF converter), I'm confident it isn't transmitting info about me back to the app maker.

There are two reasons for the problem.

• Certain apps need such permissions. The voice input app mentioned in the summary requires access to the microphone to function. The maker of the app can then abuse that permission to use the microphone to record conversations and transmit them back to the mothership. This is even more insidious with voice recognition apps, which have to record conversations and transmit them back for the recognition stage anyway. At that point the difference between legitimate and illegitimate use becomes whether the company keeps the recordings on file, or deletes them after the recognition is completed (which is why I've long advocated that voice recognition be moved to the device itself now that processors are getting to the point where that's feasible). It's impossible for OS-level restrictions to prevent this type of abuse.
• China has encouraged forking Android and developing its own version for use in the Chinese market. Ostensibly this is to reduce the amount of control foreign companies (namely Google) have over products used within China. Most people however suspect that it's done so the Chinese government can insert its own monitoring software directly within the OS itself. The kind of stuff the NSA only dreams it could do. The maker of an open-source OS has no control over what happens to forks.