Abstract: Most smartphones come with at least one camera, and camera is used mostly with media (photos, videos, etc.) sharing Android applications. Thus, hackers are finding devious ways to exploit the smartphone camera. Smartphones are almost always connected to the Internet. Most applications make use of the mobile data network or Wi-Fi to send and receive data, both in the foreground as well as in the background. In some cases, this sending and receiving of information helps in improving the efficacy of the application by connecting to, say, the social media accounts of the user or sending some user related information, such as location, to the application developer. This can help the developers to cater to the needs of the users in a better way and modify the application accordingly. However, as much as the Internet can be used to send and/or receive useful data, there is a very good chance of the same being exploited by malicious applications to transmit sensitive information which can be an infringement on the user's privacy. Such sensitive information can include personal photos, videos, SMS, etc. This transmission can very well happen without the user knowing about it.One attack that infringes on the user's privacy is a camera-based attack. There is a possibility that an Android Camera can be used to surreptitiously capture photos and/or videos without the user knowing about it. These captured photos and videos can be sent over mobile data networks or Wi-Fi to criminals/ hackers.Here, we attempt to implement the attack on mobile phones, and demonstrate the feasibility and effectiveness of the attack. Furthermore, we propose a defence scheme that can effectively detect these attacks and notify the user.

Keywords: Android Security, Camera API, Camera Attack, SurfaceView, Background service.