DET0673 Detection of Audio Capture
| Item | Value |
|---|---|
| ID | DET0673 |
| Version | 1.0 |
| Created | 21 October 2025 |
| Last Modified | 21 October 2025 |
Technique Detected: T1429 (Audio Capture)
Analytics
Android
AN1772
In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)
In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)
Android applications using the RECORD_AUDIO permission and iOS applications using RequestRecordPermission should be carefully reviewed and monitored. If the CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.
In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.
Log Sources
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | User Interface | None |
| Permissions Requests (DC0114) | Application Vetting | None |
Mutable Elements
| Field | Description |
|---|---|
iOS
AN1773
In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)
In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)
Android applications using the RECORD_AUDIO permission and iOS applications using RequestRecordPermission should be carefully reviewed and monitored. If the CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.
In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.
Log Sources
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | User Interface | None |
| Permissions Requests (DC0114) | Application Vetting | None |
Mutable Elements
| Field | Description |
|---|---|