TL;DR: Native virtual camera attacks rose 2,665% in 2024 and reached 785 weekly incidents in Q2, according to iProov’s 2025 Threat Intelligence Report, showing how software-level camera interception can bypass conventional device checks and feed synthetic video into identity verification systems. Traditional liveness and root-detection controls are no longer enough when the attack operates inside standard permissions and intact metadata.
NHIMG editorial — based on content published by iProov: Native virtual cameras represent a critical breakthrough in identity fraud
By the numbers:
- The iSOC recorded 785 weekly attack incidents at peak activity in Q2 2024.
- In the NHI domain, 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams defend remote identity verification against native virtual cameras?
A: They should treat the video capture path as part of the trust boundary.
Q: Why do native virtual cameras undermine traditional liveness checks?
A: Because active liveness often relies on predictable user behaviour that a virtual camera can replay or synthesize.
Q: What breaks when mobile identity verification relies only on root detection?
A: Root detection breaks because native virtual camera attacks do not require rooted or jailbroken devices.
Practitioner guidance
- Map the full camera trust boundary Document every component from physical sensor to verification decision, including OS permissioning, camera middleware, and app-level receipt.
- Add capture-path integrity checks Require telemetry that validates the video pipeline, not only device root status.
- Reduce reliance on predictable prompts Avoid treating fixed blink or movement challenges as decisive evidence of presence.
What's in the full article
iProov's full blog post covers the operational detail this post intentionally leaves for the source:
- A deeper breakdown of the native virtual camera attack chain and how the operating system is manipulated at the capture layer
- The detection logic behind dynamic liveness verification and why passive approaches reduce replay predictability
- The device integrity checks and telemetry signals that can help distinguish genuine camera output from injected video
- The report's broader threat intelligence findings on how fraud tooling is evolving across mobile identity verification
👉 Read iProov's analysis of native virtual camera attacks and remote identity fraud →
Native virtual camera attacks: are identity checks keeping up?
Explore further
Native virtual camera fraud is an identity assurance problem, not just a biometrics problem. The attack succeeds because the trust boundary sits lower than many verification programmes assume. Once the capture path is compromised, the system is no longer evaluating a live camera feed, it is evaluating whatever the attacker chooses to substitute. Practitioners should treat this as a failure of end-to-end assurance, not a narrow liveness defect.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: Who is accountable when synthetic video bypasses an identity verification process?
A: Accountability should sit with the teams that own the full assurance workflow, not only the biometric vendor or the mobile endpoint team. If the process accepts a video feed without validating capture integrity, the governance model is incomplete.
👉 Read our full editorial: Native virtual camera fraud is breaking remote identity verification