{
	"id": "3401c911-a03d-4460-84ac-4d2cd7c011f9",
	"created_at": "2026-04-06T03:36:28.292995Z",
	"updated_at": "2026-04-10T03:30:33.033184Z",
	"deleted_at": null,
	"sha1_hash": "83cb52504ac3c94316f74d5f385121e0871087db",
	"title": "APP-19 · Mobile Threat Catalogue",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47105,
	"plain_text": "APP-19 · Mobile Threat Catalogue\r\nArchived: 2026-04-06 03:13:21 UTC\r\nMobile Threat Catalogue\r\nAudio or Video Surveillance\r\nContribute\r\nThreat Category: Malicious or privacy-invasive application\r\nID: APP-19\r\nThreat Description: Starting with Android 6.0, access to the microphone or camera is considered a dangerous\r\npermission and each recording attempt must be granted permission by the user at runtime. Similarly, the iOS\r\nsecurity model only allows apps granted permission by the user to access the camera or microphone while running\r\nin the foreground. Therefore, an app operating in these or newer environments cannot abuse public APIs to initiate\r\na recording outside the user’s knowledge. This threat can still be realized following successful exploits of OS\r\nvulnerabilities that ultimately provide a malicious app with unauthorized access to those resources (e.g. bypass\r\naccess control on APIs or direct access to the hardware).\r\nThreat Origin\r\nNot Applicable, See Exploit or CVE Examples\r\nExploit Examples\r\nMalware designed to take over cameras and record audio enters Google Play 1\r\nAn investigation of Chrysaor Malware on Android 2\r\nCVE Examples\r\nNot Applicable\r\nPossible Countermeasures\r\nEnterprise\r\nDeploy MAM or MDM solutions with policies that prohibit the side-loading of apps, which may bypass security\r\nchecks on the app.\r\nDeploy MAM or MDM solutions with policies that prohibit the installation of apps from 3rd party (unofficial) app\r\nstores.\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html\r\nPage 1 of 2\n\nDeploy MDM solutions that support geo-fencing of BYOD devices with policies that disable device sensors (e.g.,\r\ncamera, microphone) when the device is being operated in sensitive locations.\r\nDeploy MDM solutions for COPE devices that support disabling device sensors (e.g. camera, microphone) that\r\ncan be used for recording of nearby activity.\r\nDeploy MAM solutions for COPE devices that support selectively enabling device sensors (e.g. camera,\r\nmicrophone) for a whitelist of trusted enterprise applications that require those functionalities.\r\nUse application threat intelligence data about potential abuse of access to device sensors associated with apps\r\ninstalled on COPE or BYOD devices\r\nMobile Device User\r\nUse Android Verify Apps feature to identify apps that may abuse access to sensor data to record nearby activity.\r\nMobile App Developer\r\nTo reduce risks of using the app, only request access to the minimal set of shared data stores (e.g., contacts,\r\ncalendar), OS services (e.g. location services), and device sensors (e.g. camera, microphone) necessary for the app\r\nto provide functionality.\r\nReferences\r\n1. D. Goodin, “Malware designed to take over cameras and record audio enters Google Play”, Ars Technica, 7\r\nMar. 2014; http://arstechnica.com/security/2014/03/malware-designed-to-take-over-cameras-and-record-audio-enters-google-play/ [accessed 8/25/2016] ↩\r\n2. “An investigation of Chrysaor Malware on Android”, blog, 3 Apr. 2017; https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html [accessed 4/5/2017] ↩\r\nSource: https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html\r\nhttps://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html"
	],
	"report_names": [
		"APP-19.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775446588,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/83cb52504ac3c94316f74d5f385121e0871087db.pdf",
		"text": "https://archive.orkl.eu/83cb52504ac3c94316f74d5f385121e0871087db.txt",
		"img": "https://archive.orkl.eu/83cb52504ac3c94316f74d5f385121e0871087db.jpg"
	}
}