Earlier this year, a team of Northeastern researchers found that some Android apps were collecting user data—but not by activating microphones, as people might assume. These apps were directly targeting the screen.

“The screen is considered property of the app,” said Christo Wilson, an associate professor of computer science who co-authored the study. “The app can do whatever it wants to it.”

As the study showed, this doesn’t require explicitly notifying users. Plus, Android itself doesn’t send data collection notifications on behalf of its apps. But while individual app developers can notify users when they’re collecting information or monitoring activity, many don’t.

So who were the culprits? Here are two you might have in your back pocket.

goPuff

Delivery apps take convenience to the next level, bringing pizza, laundry, and more right to your door. If it sounds too good to be true, take a peek behind the curtain—to keep itself running smoothly, Wilson said, this app routinely monitored users’ activity and sent it to third parties.

Surveillance method: Recording videos of screen activity

What was being watched? “Everything you did in the app: searches you made, things you added to your cart,” said Wilson. “And then during the checkout, some things like zip code were getting recorded—although not the credit card number, thankfully.”

Is your smartphone spying on you?

Prisma Photo Editor (and others)

When you edit a picture in an app, that photo stays on the phone itself, right? Think again, said Wilson. This study uncovered six photo-editing apps that used their own cloud servers to host every single photo—Instagram-worthy or not.

Surveillance method: Uploading photos to remote server

What was being watched? “Any photo you decide to edit in the app,” Wilson said. “It could be a screenshot you took. It could be a photo you took with the selfie camera. It could be completely banal or it could be extremely intimate. And it’s all getting sent.”