Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1512: Video Capture

An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.

Malware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of the device’s cameras for video recording rather than capturing the victim’s screen.

In Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.

MobileT1512TechniqueObject v2.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Video Capture is a mobile technique where malware or scripts use a device camera to record video or capture images. For leaders, the business issue is not just data theft; it is surveillance risk from corporate or personally used mobile devices that may expose meetings, facilities, documents, personnel, or sensitive environments. ATT&CK lists both Android and iOS as relevant platforms, with normal camera access gated by user-granted permissions, while rooted or jailbroken devices may weaken those protections.

Executive priority

Prioritize this behavior where mobile devices are used in executive settings, regulated operations, critical infrastructure, government-facing work, or locations where physical visibility creates security risk. Key leadership questions: which apps are allowed camera access, how quickly can the organization identify suspicious camera permission use, are mobile OS versions kept current, and are rooted or jailbroken devices restricted from sensitive work? This technique also matters for audit and incident response because permission governance, mobile device posture, and app inventory can become the evidence that proves whether the organization had reasonable mobile surveillance controls.

Technical view

For SOC, detection engineering, and IR teams, validate mobile coverage for Android and iOS camera access indicators rather than relying on network telemetry alone. On Android, review applications requesting or holding android.permission.CAMERA. On iOS, review apps declaring NSCameraUsageDescription in Info.plist and correlate with user-granted camera permission. Investigations should distinguish expected camera use by approved business apps from unusual camera access by apps with remote access, spyware, or sideloaded characteristics. Relationship context shows many Android malware and spyware families use this technique, plus an iOS spyware example, so mobile app inventory, permission state, device integrity, and file/exfiltration follow-on evidence are important pivots. Official ATT&CK detection text is not provided, but a related detection strategy, DET0695 Detection of Video Capture, is supplied.

Likely telemetry

  • Mobile device management or enterprise mobility inventory for installed apps and OS versions
  • Android application permission data, especially android.permission.CAMERA
  • iOS application metadata including NSCameraUsageDescription in Info.plist where available
  • User-granted camera permission state for mobile apps
  • Root or jailbreak posture and device compliance status

Detection direction

  • Confirm whether mobile telemetry can show which apps request and are granted camera access on Android and iOS.
  • Baseline approved business use of camera permissions to reduce false positives from conferencing, scanning, authentication, and field-work applications.
  • Prioritize alerts where camera permission appears on apps that are unapproved, newly installed, sideloaded, associated with remote access behavior, or present on rooted or jailbroken devices.
  • Correlate permission findings with device integrity, unusual media file creation, and outbound transfer activity rather than treating permission presence alone as proof of capture.
  • Use relationship context to enrich hunting for Android spyware and RAT behaviors, while avoiding attribution claims unless local evidence supports them.

Mitigation priorities

  • Keep mobile operating systems on recent supported versions, consistent with ATT&CK mitigation M1006 Use Recent OS Version.
  • Enforce mobile device compliance rules that identify or restrict rooted and jailbroken devices, especially for sensitive roles and locations.
  • Review and minimize camera permissions for enterprise-approved apps; remove or deny apps that do not have a business need for camera access.
  • Maintain an authoritative mobile app inventory and approval process for Android and iOS devices used for business.
  • Include mobile camera-permission review in incident response playbooks for suspected surveillanceware or mobile compromise.
Analyst notes and limits

This object is especially relevant to mobile surveillance scenarios. The relationship set includes Windshift and numerous mobile software entries, mostly Android, that use Video Capture, supporting prioritization for mobile threat hunting and spyware response. However, those relationships should be used for context and enrichment, not as evidence that any specific organization is targeted or compromised.

The supplied ATT&CK object has no specified tactics and no official detection text. DET0695 is listed only as a related detection strategy without details. Local telemetry availability will determine whether teams can validate actual video capture versus only camera permission or app capability. Claims about impact, attribution, active exploitation, or confirmed detection coverage require organization-specific evidence beyond the supplied fields.

Official MITRE ATT&CK definition

Video Capture

An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.

Malware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of the device’s cameras for video recording rather than capturing the victim’s screen.

In Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Associated objects

Groups, software, and campaigns

Group Mobile

G0112: Windshift

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.[1][2][3]

Malware Mobile

S0328: Stealth Mango

Stealth Mango is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as Tangelo is believed to be from the same developer. [1]

Android
Malware Mobile

S9004: Crocodilus

Crocodilus is an Android banking Trojan that was discovered in March 2025. Crocodilus targeted users worldwide, including Turkey, Poland, Argentina, Brazil, Spain, the United States, Indonesia and India. Crocodilus has been customized based on the target location. For example, Crocodilus mimicked major Turkish and Spanish banks for users in Turkey and Spain, while users in Poland saw Facebook advertisements that promoted Crocodilus to claim bonus points.[1][2]

Android
Malware Mobile

S1195: SpyC23

SpyC23 is a mobile malware that has been used by APT-C-23 since at least 2017. SpyC23 has been observed primarily targeting Android devices in the Middle East.[1]

There are multiple close variants of SpyC23, such as VAMP[2], GnatSpy[3], Desert Scorpion and FrozenCell, which add some additional functionality but are not significantly different from the original malware.

Android
Malware Mobile

S1069: TangleBot

TangleBot is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. TangleBot has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to FluBot Android malware campaigns.[1]

Android
Malware Mobile

S0407: Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

Android
Malware Mobile

S1080: Fakecalls

Fakecalls is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.[1]

Android
Malware Mobile

S1243: DCHSpy

DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.[1]

Android
Relationship explorer

All related ATT&CK context

uses · Malware S0328: Stealth Mango Mobile uses · Malware S0421: GolfSpy Mobile uses · Malware S9004: Crocodilus Mobile uses · Malware S1195: SpyC23 Mobile uses · Malware S1069: TangleBot Mobile uses · Malware S0407: Monokle Mobile uses · Malware S1092: Escobar Mobile uses · Malware S1080: Fakecalls Mobile uses · Malware S1243: DCHSpy Mobile uses · Malware S0489: WolfRAT Mobile uses · Malware S0535: Golden Cup Mobile mitigates · Mitigation M1006: Use Recent OS Version Mobile uses · Group G0112: Windshift Mobile uses · Malware S0327: Skygofree Mobile uses · Malware S0506: ViperRAT Mobile detects · Detection Strategy DET0695: Detection of Video Capture Mobile uses · Malware S0405: Exodus Mobile uses · Malware S9005: DocSwap Mobile uses · Malware S0320: DroidJack Mobile uses · Malware S0292: AndroRAT Mobile uses · Malware S0425: Corona Updates Mobile uses · Malware S0549: SilkBean Mobile uses · Malware S0551: GoldenEagle Mobile uses · Malware S0426: Concipit1248 Mobile
Mitigations

Mitigation direction

Mitigation Mobile

M1006: Use Recent OS Version

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.1
Created
Modified
Raw hash
2b7fa939f33bf730...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.1 Current bundle 2b7fa939f33b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NIST Mobile Threat Catalogue APP-19
    Open source URL
  2. [2]
    mitre-attack T1512
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use