Researchers Analyze Over 17,000 Android Apps for Privacy and Surveillance Risks

Experts from Northwestern University and the University of California, Santa Barbara set out to determine whether mobile apps are secretly spying on users by listening in or watching through device cameras and microphones. After analyzing the behavior of 17,260 Android apps, the researchers concluded that these apps do not use access to cameras and microphones for covert surveillance. However, some apps may take screenshots and upload them to remote servers.

Study Overview and App Statistics

The researchers examined 15,627 apps from the Google Play Store, as well as apps from third-party catalogs: 510 from AppChina, 528 from Mi.com, and 285 from the Anzhi portal.

They investigated which apps requested access to the device’s camera and microphone, how often these permissions were requested, and whether the app code contained API calls specific to collecting multimedia data (such as Audio API, Camera API, and Screen Capture API). The team also checked whether these API references were written by the app developers themselves or were part of third-party libraries used by the apps.

It turned out that only a small number of apps actually used their access to the camera and microphone as intended. Still, the researchers warn that the potential risk remains high, since developers can update their products at any time, and previously unused permissions could be exploited by new or updated third-party code added to the app.

“Moreover, third-party code that doesn’t have multimedia permissions in one version of an app could misuse permissions granted to future versions,” the researchers noted.

Out of the 17,260 apps studied, the team found only 21 apps that recorded and transmitted multimedia data. Of these, 12 either transmitted data in plain text (HTTP) or, due to coding errors, took screenshots and uploaded them online. The remaining 9 apps uploaded images to cloud servers for editing, but did not inform users, which is also considered a data leak.

Risks from Third-Party Libraries

Although the researchers did not find evidence of apps using cameras and microphones for direct surveillance, they warn that third-party libraries pose a significant threat. As mentioned, these libraries can start using permissions previously granted to the app for their own purposes. Because of this, the researchers believe that Android developers should prevent third-party libraries from using the functions of the “parent” app without explicit permission.

“For example, [third-party libraries] can be used to capture the app’s screen without needing separate permissions. Apps often display sensitive information, and this behavior could lead to covert monitoring of users by third parties,” the researchers concluded.