- Predator hijacks iOS camera and microphone indicators without user knowledge or consent
- Kernel-level access allows Predator to inject code into critical iOS system processes
- Predator suppresses visual recording indicators while maintaining persistent device monitoring
Apple may have introduced colored status bar indicators in iOS 14 to alert users when the camera or microphone is active, but experts have warned that this does not stop all malware.
Spyware developed by Intellexa and Cytrox, called Predator, can work on compromised iOS devices without displaying any camera or microphone indicators.
Predator bypasses the indicator by intercepting sensor activity updates before the system’s user interface displays them, keeping users unaware of continuous surveillance.
How Predator bypasses the iOS privacy indicator
The malware does not exploit a new vulnerability, it requires previously obtained kernel-level access to hook system processes.
New research from Jamf Threat Labs has described how spyware bypasses the iOS prompt when connecting the SpringBoard process, specifically by targeting the _handleNewDomainData: method within the SBSensorActivityDataProvider class.
This single hook overrides the object responsible for passing sensor updates to the UI, preventing green or orange dots from appearing when the camera or microphone is in use.
Previous methods, including direct links to the SBReccordingIndicatorManager, were abandoned in favor of this upstream interception, which is more efficient and less detectable.
Predator contains several modules that handle different aspects of surveillance, such as the HiddenDot module and the CameraEnabler module.
While the former suppresses visual indicators, the latter bypasses camera permission checks using ARM64 instruction pattern matching and pointer authentication code redirection, PAC.
This allows malware to locate internal functions that are not publicly exposed and redirect execution without triggering standard iOS security alerts.
The spyware also captures VoIP audio through a separate module. Unlike HiddenDot, the VoIP recording module does not directly suppress microphone indicators, but instead relies on stealth techniques to go unnoticed.
These modules can write audio data to unusual paths and manipulate system processes, making standard detection methods difficult.
Predator’s design complicates detection because it injects code into critical system processes such as SpringBoard and mediaservd.
It relies on Mach exception-based hooks rather than conventional inline hooks, making typical firewall and endpoint protection software insufficient to detect malicious activity.
Behavioral indicators, such as unexpected creation of audio files or sensor activity updates that do not trigger UI notifications, are key signals that defenders should monitor.
Observing memory allocations, exception ports, and thread state changes in system processes can also reveal signs of compromise.
Predator shows how commercial spyware can use artificial intelligence tools and system-level access to conduct sophisticated surveillance on iOS devices.
Users and security teams should understand the persistence techniques used by Predator and monitor devices for subtle anomalies in sensor activity.
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
