Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1809: Analytic 1809

The defender correlates managed-app or supervised-device camera access with app and device context showing that the capture is inconsistent with expected user-driven recording behavior. The strongest iOS evidence is camera access or camera-adjacent capture activity followed by app-state evidence such as background or low-interaction operation, optional media artifact creation, and optional post-capture network transfer. Because direct low-level runtime visibility is weaker than Android for many enterprises, the primary iOS analytic should anchor on managed app context, device state, and downstream effects around camera use, with local subsystem telemetry treated as enrichment rather than sole proof.

MobileAN1809AnalyticObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about validating whether camera use on managed or supervised iOS devices looks like normal user-driven recording or something inconsistent with expected behavior. Its business value is strongest where mobile devices handle sensitive conversations, facilities, customer data, or regulated work: camera access that occurs while an app is in the background, with little user interaction, or followed by media creation and network transfer may require rapid privacy, legal, and incident-response review.

Executive priority

Prioritize this as a mobile security and privacy-control question rather than a standalone alert. Leaders should ask whether the organization can prove which managed iOS apps accessed the camera, whether that access aligned with user activity and device state, and whether downstream media or network activity can be reviewed. This supports incident decision-making, compliance evidence, and mobile application governance, especially for supervised or managed-device fleets.

Technical view

For SOC, detection engineering, and IR teams, the analytic should correlate managed-app or supervised-device camera access with app context, device state, and downstream effects. The strongest supported pattern is camera or camera-adjacent capture activity combined with background or low-interaction app state, optional media artifact creation, and optional post-capture network transfer. Because the ATT&CK description notes weaker direct low-level iOS runtime visibility for many enterprises, local subsystem telemetry should be treated as enrichment rather than sole proof.

Likely telemetry

  • Managed app inventory and app context for iOS devices
  • Supervised-device management records and device state
  • Camera access or camera-adjacent capture events where available
  • App foreground/background state or low-interaction indicators
  • Media artifact creation metadata where available

Detection direction

  • Validate that camera access is correlated with app state and user interaction, not evaluated as an isolated event.
  • Tune for expected business workflows that legitimately use camera capture, such as approved scanning, video, or field-work applications.
  • Prioritize cases where camera activity occurs in background or low-interaction conditions and is followed by media creation or network transfer.
  • Avoid relying exclusively on low-level iOS runtime telemetry, since the supplied ATT&CK description notes that this visibility may be weaker for many enterprises.
  • Use managed-app and supervised-device context as the primary anchor for triage and evidence collection.

Mitigation priorities

  • Ensure sensitive iOS use cases are enrolled as managed or supervised devices where organizational policy allows.
  • Review which managed apps are permitted to access the camera and whether that access is justified by business need.
  • Maintain mobile device management evidence that can show app context, device state, and relevant policy configuration.
  • Define incident-response handling for suspicious mobile camera activity, including privacy, legal, and user-notification considerations where applicable.
  • Use this analytic to identify telemetry gaps before relying on it for compliance or investigative conclusions.
Analyst notes and limits

No tactic, relationship context, or formal detection logic was supplied for this ATT&CK analytic. The available description supports a correlation-based iOS mobile detection strategy focused on managed apps, supervised-device context, app state, optional media artifacts, and optional network transfer after camera use.

This take is limited to the supplied ATT&CK analytic fields and one MITRE external reference. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local MDM/EMM capabilities, app instrumentation, privacy constraints, and iOS visibility determine whether the analytic is practical in a specific environment.

Official MITRE ATT&CK definition

Analytic 1809

The defender correlates managed-app or supervised-device camera access with app and device context showing that the capture is inconsistent with expected user-driven recording behavior. The strongest iOS evidence is camera access or camera-adjacent capture activity followed by app-state evidence such as background or low-interaction operation, optional media artifact creation, and optional post-capture network transfer. Because direct low-level runtime visibility is weaker than Android for many enterprises, the primary iOS analytic should anchor on managed app context, device state, and downstream effects around camera use, with local subsystem telemetry treated as enrichment rather than sole proof.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
4e8eb6c2117c36f1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 4e8eb6c2117c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1809
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use