[evan_]

> You'd have to get the user to download and run a package installer that prompts for an admin password RIGHT?

In theory; but a motivated party with sufficient resources could simply ("simply") author a fake OS update and deliver it to you over a compromised ISP and you'd never know the difference.

[joshfraser]

You would just chain multiple exploits. For the right price you can buy a zero-day exploit for anything you want -- for the browser, OS & root access. If you have the money, installing the camera exploit in place is trivial.

[joshfraser]

No, it can run in user space by an unprivileged (non-root) application:

https://jscholarship.library.jhu.edu/handle/1774.2/36569