Injection method classification Three injection approaches were observed and used to classify the evaluated tools: • App-level injection: Four tools performed injection by intercepting camera application programming interface (API) calls (e.g. Camera2 on Android, AVFoundation on iOS) and supplying synthetic content (pre-recorded video or manipulated stream) in place of the physical camera feed. This approach commonly relied on root/jailbreak and frameworks like Magisk/Xposed (Android) or Substrate (iOS). These are easier to implement compared to other injection methods, and usually detectable with root/jailbreak check or hooking frameworks like Xposed/Substrate. • System-level virtual camera drivers: Three tools installed drivers or virtual camera devices at the OS level (for example, a Windows virtual webcam driver). These drivers appear as a physical camera to all apps (e.g. Zoom, Teams, KYC software), making detection by app-level checks more difficult. The injected content can be a live deepfake or pre-recorded video. Since a system-recognized hardware driver or any app that uses the OS webcam sees this as a legitimate device, it is hard to detect this level of injection. • Hybrid overlay/mirroring: One tool combined container/ virtualization techniques with user interface (UI) overlays or stream mirroring. Overlay methods rendered synthetic content on top of the real camera preview at the UI level, while mirroring techniques duplicated and redistributed camera streams (for instance, via DirectShow) to multiple fake camera endpoints. This approach could bypass certain app checks but could leave artefacts (e.g. duplicate camera feeds, mirrored sessions). Platform support, price and live feed streaming Pricing models vary widely among the tools. There are two open-source options that are available under permissive licences – the Massachusetts Institute of Technology (MIT) and the GNU General Public Licence (GPL). Meanwhile, others follow commercial models – ranging from affordable one-time fees (e.g. approximately $25.95) to premium-grade offerings (priced at $3,000). In terms of platform support, mobile-focused tools generally target Android 5+, with some requiring higher versions such as Android 9+ and iOS 11–13.3. Desktop tools support a wide range of Windows OS versions (XP to 11). For live feed streaming, only three of eight tools support real- time messaging protocol (RTMP) or stream duplication, while others rely on pre-recorded or static media without native streaming support. Orientation mismatches, resolution requirements or manual intervention may still impact reliability during streaming attempts. Root/jailbreak requirements Half of the evaluated tools (four) required elevated privileges (typically achieved via root or jailbreak). Commonly harnessed frameworks included Magisk, Xposed/LSPosed (Android) and Cydia Substrate (iOS). The remaining tools claimed rootless operation; however, some rootless approaches (for example, virtualization engines or containers) were found to leave detectable system footprints despite not requiring formal root access. Latency, timing accuracy and quality Timing accuracy: Most tools struggled to maintain accurate timing during challenge–response interactions or randomized liveness prompts. Significant synchronization delays were observed for RTMP-based and static-content tools, reducing their ability to pass dynamic verification. Only one tool demonstrated real-time feed splitting with partial success in synchronized scenarios. Video quality: Output quality varied widely and was highly sensitive to source media format, device capability and manual configuration. Orientation mismatches, resolution constraints and rendering glitches were common failure points on lower-end hardware. Optimal performance required modern central processing units (CPUs)/GPUs and correctly formatted source media. UI hijack capabilities and networking behaviour In total, seven evaluated camera injection tools lack UI hijack capabilities, meaning they do not overlay, manipulate or hook into application interfaces, or use AccessibilityService (an Android feature designed to enhance the UI and assist users with disabilities or those who might temporarily be unable to fully interact with their device) or system-level UI overlays. Their functionality is strictly limited to camera feed emulation or redirection. In terms of network behaviour, all tools operate locally with no evidence of command-and-control (C2) communication, data exfiltration or external server beacons. This suggests that, from a networking and UI manipulation standpoint, these tools pose minimal active threat beyond the camera injection vector itself and also limit their functionality for remote-controlled attacks. Unmasking Cybercrime 12

Unmasking Cybercrime Strengthening Digital Identity Verification against Deepfakes 2026