• Intellexa’s Predator spyware can hide iOS recording indicators while secretly streaming camera and microphone feeds to its operators. • The malware does not exploit any iOS vulnerability but leverages previously obtained kernel-level access to hijack system indicators that would otherwise expose its surveillance operation. • Apple introduced recording indicators on the status bar in iOS 14 to alert users when the camera or microphone is in use, displaying a green or an orange dot, respectively. • US-sanctioned surveillance firm Intellexa developed the Predator commercial spyware and delivered it in attacks that exploited Apple and Chrome zero-day flaws and through 0-click infection mechanisms. • While its ability to suppress camera and microphone activity indicators is well known, it was unclear how the mechanism worked. • How Predator hides recording Researchers at mobile device management company Jamf analyzed Predator samples and documented the process of hiding the privacy-related indicators.
Article Summaries:
- Intellexa’s Predator spyware can suppress iOS 14’s camera and microphone indicators by hijacking SpringBoard’s sensor‑update mechanism. Researchers at Jamf discovered that Predator installs a single hook, HiddenDot::setupHook(), which intercepts the _handleNewDomainData: method that normally updates the green (camera) and orange (microphone) status‑bar dots. By nullifying the SBSensorActivityDataProvider object, the spyware prevents any indicator from appearing, keeping its audio‑video capture invisible to users. Predator also bypasses camera permission checks via ARM64 pattern matching and PAC redirection. The malware does not exploit an iOS vulnerability but relies on prior kernel‑level access. Apple has not yet commented on the findings.
Sources: