Native virtual camera attacks: are identity checks keeping up?

TL;DR: Native virtual camera attacks rose 2,665% in 2024 and reached 785 weekly incidents in Q2, according to iProov’s 2025 Threat Intelligence Report, showing how software-level camera interception can bypass conventional device checks and feed synthetic video into identity verification systems. Traditional liveness and root-detection controls are no longer enough when the attack operates inside standard permissions and intact metadata.

NHIMG editorial — based on content published by iProov: Native virtual cameras represent a critical breakthrough in identity fraud

By the numbers:

• The iSOC recorded 785 weekly attack incidents at peak activity in Q2 2024.
• In the NHI domain, 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: How should security teams defend remote identity verification against native virtual cameras?

A: They should treat the video capture path as part of the trust boundary.

Q: Why do native virtual cameras undermine traditional liveness checks?

A: Because active liveness often relies on predictable user behaviour that a virtual camera can replay or synthesize.

Q: What breaks when mobile identity verification relies only on root detection?

A: Root detection breaks because native virtual camera attacks do not require rooted or jailbroken devices.

Practitioner guidance

• Map the full camera trust boundary Document every component from physical sensor to verification decision, including OS permissioning, camera middleware, and app-level receipt.
• Add capture-path integrity checks Require telemetry that validates the video pipeline, not only device root status.
• Reduce reliance on predictable prompts Avoid treating fixed blink or movement challenges as decisive evidence of presence.

What's in the full article

iProov's full blog post covers the operational detail this post intentionally leaves for the source:

• A deeper breakdown of the native virtual camera attack chain and how the operating system is manipulated at the capture layer
• The detection logic behind dynamic liveness verification and why passive approaches reduce replay predictability
• The device integrity checks and telemetry signals that can help distinguish genuine camera output from injected video
• The report's broader threat intelligence findings on how fraud tooling is evolving across mobile identity verification

👉 Read iProov's analysis of native virtual camera attacks and remote identity fraud →

Native virtual camera attacks: are identity checks keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →