Beyond the Fake 'Play' Button

In our previous articles, we exposed the common "fake play button" trick used by sextortion scammers in Chennai and around the world. By luring victims into clicking "Allow" on a camera permission pop-up, they silently capture images for blackmail. However, this is just the tip of the iceberg.

Cybercriminals have a diverse and sophisticated toolkit. Understanding their other methods is crucial for building a comprehensive digital defense. Here are eight other technical pathways attackers can use to turn your device's camera against you.

1. Phishing with Fake Permission Dialogs

This is a classic bait-and-switch. Instead of triggering the real browser pop-up, the attacker's webpage displays a carefully crafted image or overlay that looks exactly like a system permission request ("This site wants to use your camera. Allow / Block"). When the victim clicks the fake "Allow" button, they aren't granting permission. Instead, they are unknowingly executing hidden malicious code, which could then trigger a real permission request or even download malware.

2. Browser or In-App Browser Vulnerabilities

When you click a link inside an app like Telegram or WhatsApp, it often opens in an "in-app browser" (technically a WebView). If this in-app browser or your main mobile browser is outdated, it may contain security flaws. Attackers actively seek out these vulnerabilities, which, in some cases, could allow them to bypass security prompts and gain access to your camera and microphone without your consent.

3. Drive-by Malware (APK / App Installation)

This method is particularly common on Android. Clicking a malicious link might not lead to a website, but instead, trigger the download of a file with a .apk extension. The page will claim this app is required to "view the video" or "unlock the content." If the victim is tricked into installing this malicious application, they are essentially handing over the keys to their device. The app, once installed, can gain camera, microphone, and other permissions, often without any further prompts.

4. Spyware Already Installed on the Device

Sometimes, the link you click is not the primary attack; it's just a trigger. Your phone or computer may have already been compromised by sophisticated spyware (like Pegasus or Predator) or cheaper, more common "stalkerware" apps. In this scenario, the device is already under the attacker's control. The link is simply a lure to ensure you are looking at your screen, allowing the pre-installed malware to activate the camera and capture your image at the opportune moment.

5. Social Engineering with Fake “Video Chat” Platforms

Here, the attacker uses deception on a larger scale. They might direct you to a website that looks like a legitimate video chat or streaming platform. You, believing you are about to join a private call or watch a live stream, willingly accept the camera and microphone permission request. Instead of connecting you to another person, the site simply records your feed and sends it directly to the scammer.

6. QR Code or Deep Link Exploits

A link doesn't always have to start with http://. Sometimes, a QR code or a link in a message is a "deep link" (e.g., intent:// or tg://). These are designed to open a specific app on your phone. If an attacker can trick you into clicking a deep link that opens a malicious or vulnerable app you already have installed, that app could be instructed to activate the camera, especially if you had granted it permissions in the past.

7. Remote Control via Accessibility Exploits (Android)

Android's Accessibility Services are powerful tools designed to assist users with disabilities. However, criminals can trick users into granting these permissions to a malicious app (often disguised as an "antivirus" or "performance booster"). Once an app has accessibility control, it can read your screen and remotely click buttons on your behalf. This means when a real camera permission pop-up appears, the malware can instantly click "Allow" before you even have a chance to react.

8. Compromised Browser Extensions / Add-ons

For desktop users, the threat can come from browser extensions. A malicious add-on for Chrome or Firefox, perhaps installed weeks or months ago, might have requested camera permissions during its installation. When you visit the attacker's specific webpage, the extension can activate in the background, access the camera, and send data to the attacker without any new permission prompts.

Key Insight for Investigation: What to Ask Yourself

If you suspect you've been a victim, understanding what you saw (or didn't see) is critical for investigators in Chennai and elsewhere:

• Did you see a permission pop-up and click "Allow"? If yes, the attack was likely the WebRTC / getUserMedia trick (the fake "Play" button).

• Are you certain no permission pop-up appeared? If no, the cause is likely more severe, pointing towards pre-installed spyware, a malicious app install (APK), or a browser/OS exploit.

• Did the link open inside an app like Telegram? If so, vulnerabilities in the in-app browser should be considered.

Staying safe requires a multi-layered defense. Always be skeptical, keep your software updated, and think twice before granting any app or website the powerful permissions to your camera and microphone.