Felix Krause, who recently warned of the danger of malicious iPhone password popups, wrote a blog post as a sort of PSA for iPhone users. To be clear, this is not a bug, but likely intended behavior.
What this means is that even if you don't see the camera "open" in the form of an on-screen viewfinder, an app can still take photos and videos. It is unknown how many apps currently do this, but Krause created a test app as a proof-of-concept.
This behavior is what enables certain "spy" apps like Stealth Cam and Easy Calc – Camera Eye to exist. But even if this behavior is well-known among iOS developers and hardcore users, it's worth remembering that all apps that have camera permission can technically take photos in this way.
"It's something most people have no idea about, as they think the camera is only being used if they see the camera content or a LED is blinking," Krause told Motherboard in a chat over Twitter direct message. Krause currently works at Google, but performed and published this research independently of his work there.