I just watched a guy on a TV show claim this although he was being detained for smuggling so he might not be the best source. Or maybe he is.
Yeah, if your phone is compromised like by side loading something dodgy.
If “they” were able to install some sort of malware / spyware on your phone, then yes.
Some Israeli security company had developed spyware that could be loaded on a phone simply by sending a text message. Presumably software that can bypass assorted security settings can also bypass the spot where you need to give an app permission to access your phone’s camera.
Another interesting myth is that if you power down your phone it can still be tracked. Possibly from the concept that if your phone screen is not active, a normal state, a phone that can accept incoming calls is by definition telling the nearest tower(s) where it is. Earlier movies used to show the perp removing the battery to prevent tracking.
Yes, state actors can (and do) do this to, selectively, to high-value targets.
The most famous one was Pegasus (spyware) - Wikipedia from a few years back, where the Israelis used undiscovered vulnerabilities in phones (zero-days) against high-value surveillance targets to monitor their lives through their phones, including their cameras and stored photos.
This situation is expected to get worse, not better, as AIs get better at discovering such vulnerabilities faster than they can be fixed.
If you’re not the likely subject of state surveillance, though, the risks are pretty low. Just tape over it if you’re really concerned. But the mics and your texts and such are always at risk of being surveilled if you’re a valuable enough target (journalists, activists, celebrities, rich people, threats to national security, etc.). Not so much if you’re just a common criminal. Your average PD doesn’t have the time or budget to do that to everyone.
(It’s not only state actors and intelligence agencies who can do this; technically anybody who finds such an exploit can. Sometimes they are sold on the black or gray market, or even on the open market at high enough prices. If you have enough money, you can usually buy and use such an exploit from the exploit vendors, even if you don’t have the technical know-how yourself.)
Why would anyone want to watch the inside of my pocket?
Relatedly, the PATRIOT Act (circa the 9/11 era) greatly strengthened the ability of US intelligence agencies to wiretap and gather information on its own citizens and share it with each other, and with foreign allies, often in a tit-for-tat exchange to bypass what minor legal protections there were in the first place. Combine that with Big Tech’s ever-ravenous desire to track everything about everyone, and data & adtech brokers acting as middlemen selling your data without any need for a warrant, there is effectively continuous 24/7 surveillance on all connected Americans, all the time, everywhere, regardless of legality and jurisdiction. Whatever privacy rights you think you have are rendered largely moot by the various loopholes and cross-agency, cross-state, exchanges.
I don’t think it’s an understatement to say that if you’re on the internet, you should have zero expectation of privacy (against state actors and big enough companies and rich individuals).
It’s a little harder these days for the average script kiddie or drive-by hacker to gain access to your phone (because of gradually improving security models in both Android and iPhone), but for state actors and big multinational entities, it is easier than ever to gain access to all your information, both legally and otherwise. If you truly care about privacy, you should not be on the internet at all — I don’t think there is a truly safe way to be online at all anymore. Luckily for the most of us, we’re just not that interesting, either to intelligence agencies or would-be paparazzi.
It can (short of physically removing the battery), because spyware can make the phone pretend to be turned off when it isn’t.
What has it got in its pocketses?
Not completely a myth anymore. Along with the exception @Der_Trihs mentions (malware faking the phone is off), some Android phones become a bluetooth tracker (like an AirTag) when turned off. I know the Pixel 8 and newer phones can do this, and possibly other brands.
When turned off, the bluetooth radio is put in beacon mode. Other devices will detect the beacon, and report the location back to Google, where it will show up in your Find My devices page.
Turning off the phone will protect against software on the phone that reports the phone’s location. This software is usually found as parts of ad software that is loaded in otherwise legitimate apps (no malware, just adware). The government then buys the location data from the ad companies.
Just a plain gold ring…
Then it isn’t turned off.
Is clicking “Allow” when apps ask for camera access under that umbrella? I understand that that is something you do willingly, but is it enough?
Fascinating. I had no idea.
Paper describing how this works: https://petsymposium.org/popets/2025/popets-2025-0147.pdf
If you click Allow, the app can take pictures even if you don’t push the shutter yourself. You might not even see the camera preview.
If you don’t click allow, “normal” apps, like most of the ones you download from the real app store, won’t be able to take any pictures.
However, powerful enough malware/spyware can still bypass your phone’s protections and do whatever it wants to. It hacks your phone to take it over without you noticing anything different. There is nothing you can realistically do against such attacks except not having a phone. They don’t require your explicit install to infect your phone and take it over. If you’re a target of such software, there is nothing you can do.
I knew someone would come along and say this. This is as off as the phone gets. There’s no choice between “mostly off” and “really off”. So when the user selects “Power Off”, they turn the phone into a bluetooth beacon.
I even agree with you when you claim this means the phone is lying about being off. Except (as far as I know) most of the phone is off, it’s just the bluetooth that is on, but the bluetooth is built into the Tensor SoC (I think), so maybe just parts of the chip are off?
For purposes of this thread the phone is off enough to not be able to turn on the camera, but still, first rule of not being tracked is don’t carry a phone.
I should do an experiment some day and go someplace with my phone off, and see if Google can track me.
No “we” can’t.
By the way I think you have a crumb or something on your upper lip. Just on the right hand side there.
With modern device designs, if it were possible to turn phones ‘completely off’, it would be difficult to turn them back on again, or charge the battery in that ‘off’ state - because the subsystems that probably handle button presses and especially those that control the charging are handled by microcontrollers. They might be on the same die, or just in the same package as the SoC, but capable of operating independently while the rest of the computing stuff is consuming no power.
It is not the electrical power from the charging cable that wakes the charge controller, it’s more like the charge controller periodically waking itself up (using a watchdog timer) and checking ‘is something plugged in?’
I recently measured the amount of current produced by my 5 V phone charger when my Android phone was plugged into it. With the phone at 100% charge, and with the phone on, the phone was drawing around 400 mA. I then turned the phone off, and I expected the current draw to be very small afterwards (only enough to power the monitoring circuitry). To my surprise, the phone was drawing around 300 mA to 400 mA when it was off. I thought that was weird. What’s being powered? Is the phone’s internal battery charging circuit sending the power to the (already charged) battery, and thus the energy is simply being converted to heat? Or is something… else, being powered. 
It won’t be this. This used to work with NiCad and NiMH batteries but causes fires with Lithiums.
That would be an extraordinary amount of power to be used by an “off” phone. Is it possible that you took this measurement immediately after turning the power off such that (despite showing 100%) it was actually at say 99.9% and it was still topping off the charge?
Did it still say it was using this power 10-15 min after you turned it off?