- Predator hijacks iOS camera and microphone indicators without user knowledge or consent
- Kernel-level access allows Predator to inject code into critical iOS system processes
- Predator suppresses visual capture indicators while maintaining continuous monitoring of devices
Apple may have introduced colored status bar indicators in iOS 14 to alert users when the camera or microphone is active, but experts have warned that this won’t stop all malware.
Spyware developed by Intellexa and Cytrox, called Predator, can operate on compromised iOS devices without showing camera or microphone indicators.
Predator bypasses the indicator by intercepting sensor activity updates before the system’s user interface displays them, keeping users unaware of ongoing monitoring.
How Predator Bypasses the iOS Privacy Indicator
The malware does not exploit a new vulnerability, it requires previously gained kernel-level access to hook system processes.
New research from Jamf Threat Labs has outlined how the spyware bypasses the iOS indicator by hooking into the SpringBoard process, specifically targeting the _handleNewDomainData: method of the SBSensorActivityDataProvider class.
This single hook overrides the object responsible for sending sensor updates to the UI and prevents the green or orange dots from appearing when the camera or microphone is in use.
Previous methods, including direct hooks to the SBRecordingIndicatorManager, were abandoned in favor of this upstream interception, which is more efficient and less detectable.
Predator includes several modules that handle different aspects of surveillance, such as the HiddenDot module and the CameraEnabler module.
While the former suppresses visual indicators, the latter bypasses camera permission checks using ARM64 instruction pattern matching and Pointer Authentication Code, PAC, redirection.
This allows malware to locate internal functions that are not publicly exposed and redirect execution without triggering standard iOS security alerts.
The spyware also captures VoIP audio through a separate module. Unlike HiddenDot, the VoIP recording module does not directly suppress microphone indicators, it relies on stealth techniques to remain undetected.
These modules can write audio data to unusual paths and manipulate system processes, making standard detection approaches difficult.
Predator’s design complicates detection because it injects code into critical system processes such as SpringBoard and the media server.
It relies on Mach exception-based hooks rather than conventional inline hooks, making typical endpoint protection and firewall software insufficient to detect malicious activity.
Behavioral indicators, such as unexpected audio file creation or sensor activity updates that do not trigger UI notifications, are key signs defenders need to monitor.
Observing memory mappings, exception ports, and thread state changes in system processes can also reveal signs of compromise.
Predator demonstrates how commercial spyware can use AI tools and system-level access to perform sophisticated surveillance on iOS devices.
Users and security teams should understand the persistence techniques used by Predator and monitor devices for subtle anomalies in sensor activity.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
