An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.
Malware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of the device’s cameras for video recording rather than capturing the victim’s screen.
In Android, an application must hold the
android.permission.CAMERA permission to access the cameras. In iOS, applications must include the
NSCameraUsageDescription key in the
Info.plist file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.
|S0316||Pegasus for Android|
|M1006||Use Recent OS Version||
Android 9 and above restricts access to the mic, camera, and other device sensors from applications running in the background. iOS 14 and Android 12 introduced a visual indicator on the status bar (green dot) when an application is accessing the device’s camera.
The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission
android.permission.CAMERA, or the iOS
NSCameraUsageDescription plist entry could be given closer scrutiny.