Tuesday:
Telegram caught using my camera while in the background

It was a nice spring evening when this happened. At 19:41, I came home, pulled my phone out of my pocket and saw this:

For some surprising and possibly alarming reason, the official Telegram app for Android needed access to camera while in the background! Was it Telegram itself watching me for no reason, was it a bug in the app, was it a bug in the Android permission monitoring?

I was perfectly sure that I did not use the phone at the time (I knew the exact minute I used it last time before this happened: a picture was taken at 19:25) and that Telegram was in the background.

I took the screenshot above and started thinking about the situation and what I can do to figure this out. Good ideas come slowly, and when I tried to get the phone logs with adb logcat, it was already too late: logs for that moment were gone.

So, I noted that I would need to logcat the logs later when a suspicious activity happens again and waited.

Next time this happened in the morning when I was checking my phone: this time Telegram blinked with the frontal camera right after I opened it. I was ready this time and pulled full logs from the phone.

Here it was, caught with a smoking gun:

04-30 12:10:01.032   429 20402 I CameraService: CameraService::connect call (PID -1 "org.telegram.messenger", camera ID 1) for HAL version default and Camera API version 1

This proved that Telegram used my cameras on its own, without asking/warning me, and this time it appeared smarter than before: it did not try accessing a camera from background this time, it waited until I opened the app instead.

Why the app would do that? Digging further revealed that Telegram accessed both rear and frontal camera for a moment, changing torchlight status (this is a clean excerpt, the full log is very verbose and often low-level):

04-30 12:10:01.738   429 20402 I CameraService: torch_mode_status_change: cameraId=1, TorchStatus=1
04-30 12:10:01.738   429 20402 I CameraService: onTorchStatusChangedLocked: Torch status changed for cameraId=1, newTorchStatus=1
04-30 12:10:01.739  2081 16047 I CameraManagerGlobal: postSingleTorchUpdate : Camera id 1 has torch status changed to 0x1
04-30 12:10:01.739   701  6521 I CameraManagerGlobal: postSingleTorchUpdate : Camera id 1 has torch status changed to 0x1
04-30 12:10:01.741   429   740 W QCamera2Factory: getCameraInfo: E, camera_id = 1
04-30 12:10:01.741   429   740 I QCamera2HWI: getFlashInfo cameraId:0 hasFlash:1
04-30 12:10:01.741   429   740 I QCamera2HWI: getCapabilities id:0 hasFlash:1
04-30 12:10:01.741   429   740 W QCamera2HWI: __dbg: info->orientation : 90 rc = 0
04-30 12:10:01.741   429   740 I QCamera2HWI: getFlashInfo cameraId:1 hasFlash:1
04-30 12:10:01.741   429   740 I QCamera2HWI: getCapabilities id:1 hasFlash:1
04-30 12:10:01.741   429   740 W QCamera2HWI: __dbg: info->orientation : 270 rc = 0
04-30 12:10:01.741   429   740 W QCamera2Factory: getCameraInfo: X
04-30 12:10:01.744   429 20402 I CameraService: CameraService::connect call (PID -1 "org.telegram.messenger", camera ID 1) for HAL version default and Camera API version 1

04-30 12:10:01.750   429 20402 E CameraService: checkTemperature (0)
04-30 12:10:01.750   429 20402 I CameraService: CameraService::validateConnectLocked is ok : calling pid 30732, calling uid 10137, cameraservice pid=429, device user 0, currently allowed device users: 0
04-30 12:10:01.750   429 20402 I CameraFlashlight: prepareDeviceOpen: prepare for device open(cameraId=1, package=org.telegram.messenger)
04-30 12:10:01.750   429 20402 I CameraService: torch_mode_status_change: cameraId=0, TorchStatus=0
04-30 12:10:01.750   429 20402 I CameraService: onTorchStatusChangedLocked: Torch status changed for cameraId=0, newTorchStatus=0
04-30 12:10:01.750   429 20402 I CameraService: torch_mode_status_change: cameraId=1, TorchStatus=0
04-30 12:10:01.750   429 20402 I CameraService: onTorchStatusChangedLocked: Torch status changed for cameraId=1, newTorchStatus=0
04-30 12:10:01.751   429 20402 W QCamera2Factory: getCameraInfo: E, camera_id = 1
04-30 12:10:01.751   429 20402 I QCamera2HWI: getFlashInfo cameraId:0 hasFlash:1
04-30 12:10:01.752   429 20402 I QCamera2HWI: getCapabilities id:0 hasFlash:1
04-30 12:10:01.752   429 20402 W QCamera2HWI: __dbg: info->orientation : 90 rc = 0
04-30 12:10:01.752   429 20402 I QCamera2HWI: getFlashInfo cameraId:1 hasFlash:1
04-30 12:10:01.752   429 20402 I QCamera2HWI: getCapabilities id:1 hasFlash:1
04-30 12:10:01.752   429 20402 W QCamera2HWI: __dbg: info->orientation : 270 rc = 0
04-30 12:10:01.752   429 20402 W QCamera2Factory: getCameraInfo: X

04-30 12:10:01.765   429 20402 I CameraService: torch_mode_status_change: cameraId=1, TorchStatus=0
04-30 12:10:01.765   429 20402 I CameraService: onTorchStatusChangedLocked: Torch status changed for cameraId=1, newTorchStatus=0

This log is cherry-picked and omits activation of AudioSink, MediaPlayerServer, OggExtractor, and lots of other low-level things, but I suppose that this activity is automatic when opening a camera; I could not find any explicit signs of a picture/video being taken, please feel free to examine the full log and tell me I am wrong.

Conclusion

It seems rather innocent: as far as I see, this looks like a instantaneous activation of camera torchlight without clear signs of a picture being taken. It does not look like a sneaky operation: it blinked the camera light, obviously drawing my attention. On the other hand, I do not have extensive knowledge of low-level details of camera operation on Android and I could have missed something.

The most probable benign explanation sounds like this: Telegram has been experimenting with blinking camera torchlight on new messages for phones that do not have a LED above the screen dedicated to notifications (like in many Sony smartphones). The first time they were releasing this feature, Permission Manager was raising warnings about the app using camera from the background. This explains the first time: I was coming home, my phone connected to home Wi-Fi from the street, Telegram detected new messages and tried to blink about this with the torchlight from the background. The second time they fixed the background access and restricted blinking to foreground mode.

Still, I do not feel comfortable with Telegram accessing my camera without my intent. The blinking feature (as I guess it) sounds dubious and unnecessary to me (I try to restrict notifications on my phone as much as I can) and it’s easy to sneak any malicious activity later, covering camera activity with innocent explanations.