We have seen some scary Android malware in the past, but a new report from former Googler and current software engineer turned accidental security researcher Szymon Sidor reveals that some simple code can force an Android phone to secretly capture photographs. The resulting images can then be uploaded to a remote server without the device’s owner ever knowing.

Writing on his blog Snacks for your mind, Sidor reveals that he has inadvertently uncovered a huge security loophole in Android.

“There are many apps on Play Store (if you are iPhone user think App Store) that aim at taking pictures without any visual indication (ACLU-NJ Police Tape, Mobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on,” Sidor wrote. “Some of them manage to record video without visible preview.”

With that in mind, Sidor decided to see if he could get an Android phone to take pictures — and ultimately send them to a remote server of his choosing — without the user ever knowing.

Unfortunately for Android users everywhere, he accomplished his goal.

In a nutshell, Sidor was able to create an app that gets around Android’s requirement that a preview must be displayed on a device’s screen when a photo is being captured. Actually, he didn’t really get around the requirement, but instead found a brilliant loophole:

Sidor’s software still displays a preview while capturing photos, but that preview feed is only displayed on one single pixel.

In other words, instead of showing the viewfinder preview feed on the phone’s entire screen, Sidor’s app sends the feed to just one pixel so it is basically invisible. Since modern smartphone displays have so many pixels, having one light up on a full HD display packed with more than two million pixels is impossible for the user to notice, whether the screen is on or off.

Horrifying indeed.

Sidor is the first engineer to publicly discuss this huge security hole, but there is no way to tell if he is the only person who has known about it and implemented it. In fact, it is entirely possible that malicious apps currently exist that are capable of spying on device owners by secretly capturing photos and transmitting them to remote servers.

Sidor’s post is a fascinating and terrifying read, and it’s linked below in our source section.