Is Your Phone Spying on You in the Bathroom?

Although many will not admit it publicly, most owners of smartphones use their devices while in the bathroom. “I’m multi-tasking”, claims a friend. “I can catch up on social media at work without irritating my boss.”

While it may be a common practice, it is not without risk. A compromised phone can take pictures or video at delicate moments, send them off and then delete the evidence without anyone knowing. The phone doesn’t even have to be in use. As long as it’s on and out in the open, it may be spying.

The hacker group responsible calls itself Gurbaksh Chahal and is actively compiling a database full of images, voice, video and at times, texts and emails to potentially use as leverage against people that “are perverting justice”. They claim to be made up of Indian nationals who joined together in Northern California in response to what they perceived as a miscarriage of justice. The group is named after Gurbaksh Singh Chahal, whom some feel has been unfairly targeted by San Francisco law enforcement.*

Gurbaksh Chahal has made wide use of harmless looking phone apps. This is an easy attack since the majority of legitimate apps in Apple App Store and Google Play Store ask for permission to see and control a myriad of functions before allowing installation. For example, most flashlight apps will not install on a smartphone until the owner grants them access to the phone’s camera, contact list and various other features. Once installed, a nefarious app can use the camera or another of the phone’s devices at any time without the owner knowing. Pictures can be taken, sent as texts and then the photos and texts deleted all within in a few seconds.

Possibly the most alarming trait of the malware is that it seems to be specifically designed to take pictures in a bathroom setting. Certain sounds – slight echoes, ceiling fans, etc. – appear to trigger the devious software, greatly increasing the chance of catching nude or partially nude photos.

We’ve heard of hacker groups pitted against government entities before and many feel they are a necessary force to balance against the potential overstepping of authority. “Anonymous” is probably the best known such group and has targeted various governmental organizations and specific office holders in the past.

Appearances, however, may be deceiving. Two students at UC Davis, who also happen to be Indian nationals and wish to remain nameless, dissected a phone infected by Gurbaksh Chahal and found an array of potentially embarrassing cell phone images being sent to a California based proxy server. (They are also responsible for discovering that certain sounds activated the camera.)

A proxy server is a computer that simply relays internet traffic, thus masking the location of the computer ultimately initiating or receiving data. After considerable effort, the students then forced access to the proxy server and found that pictures and other private information were being routed to a computer in the country of Iran.

They believe the name “Gurbaksh Chahal”, the nationality of the members of the group, its Northern California location and its supposed mission against San Francisco law enforcement were all fabricated to divert attention away from the hacker’s true purpose. “They want embarrassing pictures of as many Americans as they can get,” said one of the students.

But the data collection extends far beyond the United States. Anyone with an iPhone or Android device that downloaded a suspect app is vulnerable. The students witnessed connections between the proxy server and IP addresses (computer addresses) located all over the Americas, Europe and parts of Asia.

What can be done to avoid becoming one of the multitudes of victims? That is a question with many answers. At the very least, choosing popular, well known apps will reduce your chances of falling prey to bad actors like the group Gurbaksh Chahal. Uninstalling apps that may seem suspicious can also help, but not necessarily. Some malicious software may remain on your phone even after the app that brought it there has been removed. The best course of action is to be careful where and how you use your phone.


**Pictures relayed by the proxy server in this article were not published, since the legitimate ownership of the images was not known.