Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information.
Android and iOS, by default, require that applications request device microphone access from the user.
On Android devices, applications must hold the
RECORD_AUDIO permission to access the microphone or the
CAPTURE_AUDIO_OUTPUT permission to access audio output. Because Android does not allow third-party applications to hold the
CAPTURE_AUDIO_OUTPUT permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output. However, adversaries may be able to gain this access after successfully elevating their privileges. With the
CAPTURE_AUDIO_OUTPUT permission, adversaries may pass the
MediaRecorder.AudioSource.VOICE_CALL constant to
MediaRecorder.setAudioOutput, allowing capture of both voice call uplink and downlink.
On iOS devices, applications must include the
NSMicrophoneUsageDescription key in their
Info.plist file to access the microphone.
AbstractEmu can grant itself microphone permissions.
BusyGasper can record audio.
CarbonSteal can remotely capture device audio.
Corona Updates can record MP4 files and monitor calls.
Desert Scorpion can record audio from phone calls and the device microphone.
DoubleAgent has captured audio and can record phone calls.
Exodus Two can record audio from the compromised device's microphone and can record call audio in 3GP format.
FinFisher uses the device microphone to record phone conversations.
FlexiSpy can record both incoming and outgoing phone calls, as well as microphone audio.
FrozenCell has recorded calls.
Golden Cup can record audio from the microphone and phone calls.
GoldenEagle has recorded calls and environment audio in .amr format.
Monokle can record audio from the device's microphone and can record phone calls, specifying the output audio quality.
|S0316||Pegasus for Android||
Pegasus for Android has the ability to record device audio.
|S0289||Pegasus for iOS||
Pegasus for iOS has the ability to record audio.
RCSAndroid can record audio using the device microphone.
RedDrop captures live recordings of the device's surroundings.
Skygofree can record audio via the microphone when an infected device is in a specified location.
SpyNote RAT can activate the victim's microphone.
Stealth Mango can record audio using the device microphone.
Tangelo contains functionality to record calls as well as the victim device's environment.
Tiktok Pro can capture audio from the device’s microphone and can record phone calls.
ViceLeaker can record audio from the device’s microphone and can record phone calls together with the caller ID.
Windshift has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.
|S0318||XLoader for Android||
XLoader for Android covertly records phone calls.
|M1006||Use Recent OS Version||
Android 9 and above restricts access to microphone, camera, and other sensors from background applications.
Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output.
|ID||Data Source||Data Component|
|DS0041||Application Vetting||Permissions Requests|
|DS0042||User Interface||System Settings|
In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.
In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.
Android applications using the
RECORD_AUDIO permission and iOS applications using
RequestRecordPermission should be carefully reviewed and monitored. If the
CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.
In both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.