# Video Injection For many KYC (Know Your Customer) vendors, video stream injection is the "final boss" of fraud. It’s the process of bypassing a smartphone’s physical camera sensor to feed pre-recorded or AI-generated deepfakes directly into the application's media pipeline. If successful, an attacker can register thousands of fraudulent accounts using stolen identities without ever showing their real face. #### How Is Video Injected Attackers typically use three main vectors: 1. **Hooking:** Using **LSPosed** or **VCAM** modules to intercept Camera API calls and swap the live feed for a file like virtual.mp4. 2. **Emulators:** Running the app in **BlueStacks** or **Nox** and using **OBS VirtualCam** to map a PC video feed as the "phone camera". 3. **Automation:** Using the Appium framework to script the entire KYC process, often utilizing plugins that instrument the app to inject images. #### The Solution: Talsec's Defensive Mapping Because these tools require specific "illegal" environments to function, Talsec’s core features act as a multi-layered filter that stops the injection before the camera even opens. | Threat Vector | Talsec Relevant Feature | Why it Works | | ------------------------------ | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | LSPosed with VCAM Module | Root & Hook Detection | VCAM requires a rooted device (Magisk) and an active hooking framework (LSPosed/Frida) to function. Talsec can kill the session the moment it sees these artifacts. | | Emulators (BlueStacks) (+ OBS) | Emulator Detection | Injections via OBS happen at the virtualization layer. Talsec detects common emulators and can block the app entirely. | | Appium Framework | Automation Detection | Appium leaves traces in the uiautomator service and often requires ADB/Developer Options to be enabled, both of which Talsec detects. | | Repackaged Testing Builds | App Integrity Checks | Attackers sometimes re-sign the APK to disable security for automation. Talsec’s signature and binary integrity checks prevent these modified builds from running. | *\*This information can be securely evaluated on the customer backend endpoint if Talsec AppiCrypt is used as well for enhanced security* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.talsec.app/appsec-articles/glossary/video-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.