I just watched a guy on a TV show claim this although he was being detained for smuggling so he might not be the best source. Or maybe he is.
Yeah, if your phone is compromised like by side loading something dodgy.
If “they” were able to install some sort of malware / spyware on your phone, then yes.
Some Israeli security company had developed spyware that could be loaded on a phone simply by sending a text message. Presumably software that can bypass assorted security settings can also bypass the spot where you need to give an app permission to access your phone’s camera.
Another interesting myth is that if you power down your phone it can still be tracked. Possibly from the concept that if your phone screen is not active, a normal state, a phone that can accept incoming calls is by definition telling the nearest tower(s) where it is. Earlier movies used to show the perp removing the battery to prevent tracking.
Yes, state actors can (and do) do this to, selectively, to high-value targets.
The most famous one was Pegasus (spyware) - Wikipedia from a few years back, where the Israelis used undiscovered vulnerabilities in phones (zero-days) against high-value surveillance targets to monitor their lives through their phones, including their cameras and stored photos.
This situation is expected to get worse, not better, as AIs get better at discovering such vulnerabilities faster than they can be fixed.
If you’re not the likely subject of state surveillance, though, the risks are pretty low. Just tape over it if you’re really concerned. But the mics and your texts and such are always at risk of being surveilled if you’re a valuable enough target (journalists, activists, celebrities, rich people, threats to national security, etc.). Not so much if you’re just a common criminal. Your average PD doesn’t have the time or budget to do that to everyone.
(It’s not only state actors and intelligence agencies who can do this; technically anybody who finds such an exploit can. Sometimes they are sold on the black or gray market, or even on the open market at high enough prices. If you have enough money, you can usually buy and use such an exploit from the exploit vendors, even if you don’t have the technical know-how yourself.)
Why would anyone want to watch the inside of my pocket?
Relatedly, the PATRIOT Act (circa the 9/11 era) greatly strengthened the ability of US intelligence agencies to wiretap and gather information on its own citizens and share it with each other, and with foreign allies, often in a tit-for-tat exchange to bypass what minor legal protections there were in the first place. Combine that with Big Tech’s ever-ravenous desire to track everything about everyone, and data & adtech brokers acting as middlemen selling your data without any need for a warrant, there is effectively continuous 24/7 surveillance on all connected Americans, all the time, everywhere, regardless of legality and jurisdiction. Whatever privacy rights you think you have are rendered largely moot by the various loopholes and cross-agency, cross-state, exchanges.
I don’t think it’s an understatement to say that if you’re on the internet, you should have zero expectation of privacy (against state actors and big enough companies and rich individuals).
It’s a little harder these days for the average script kiddie or drive-by hacker to gain access to your phone (because of gradually improving security models in both Android and iPhone), but for state actors and big multinational entities, it is easier than ever to gain access to all your information, both legally and otherwise. If you truly care about privacy, you should not be on the internet at all — I don’t think there is a truly safe way to be online at all anymore. Luckily for the most of us, we’re just not that interesting, either to intelligence agencies or would-be paparazzi.
It can (short of physically removing the battery), because spyware can make the phone pretend to be turned off when it isn’t.
What has it got in its pocketses?
Not completely a myth anymore. Along with the exception @Der_Trihs mentions (malware faking the phone is off), some Android phones become a bluetooth tracker (like an AirTag) when turned off. I know the Pixel 8 and newer phones can do this, and possibly other brands.
When turned off, the bluetooth radio is put in beacon mode. Other devices will detect the beacon, and report the location back to Google, where it will show up in your Find My devices page.
Turning off the phone will protect against software on the phone that reports the phone’s location. This software is usually found as parts of ad software that is loaded in otherwise legitimate apps (no malware, just adware). The government then buys the location data from the ad companies.