- Predator hijacks iOS camera and microphone indicators without user knowledge or consent
- Kernel-level access allows Predator to inject code into critical iOS system processes
- Predator removes visual recording indicators while maintaining persistent device monitoring
Apple may have introduced colored status bar indicators in iOS 14 to alert users when the camera or microphone is active, but experts have warned that this doesn’t stop all malware.
Spyware developed by Intellexa and Cytrox, called Predator, can run on compromised iOS devices without displaying any camera or microphone indicators.
Predator circumvents the flag by intercepting updates of sensor activity before the system’s user interface displays them, preventing users from being aware of ongoing monitoring.
How Predator Bypasses iOS Privacy Flag
The malware does not exploit a new vulnerability, it requires previously obtained kernel-level access to hook system processes.
New research from Jamf Threat Labs has shown how the spyware bypasses the iOS flag by hooking up the SpringBoard process, specifically targeting the _handleNewDomainData: method inside the SBSensorActivityDataProvider class.
This single hook overrides the object responsible for transmitting sensor updates to the UI, preventing green or orange dots from appearing when the camera or microphone is used.
Previous methods, including direct hooks to SBRecordingIndicatorManager, have been abandoned in favor of this more efficient and less discoverable upstream interception.
Predator contains several modules that handle different aspects of surveillance, such as the HiddenDot module and the CameraEnabler module.
While the former removes visual indicators, the latter bypasses camera authorization checks using ARM64 instruction pattern matching and pointer authentication code redirection, PAC.
This allows the malware to locate internal functions that are not publicly exposed and redirect execution without triggering standard iOS security alerts.
The spyware also captures VoIP audio through a separate module. Unlike HiddenDot, the VoIP recording module does not directly remove microphone indicators, it relies on stealth techniques to remain unnoticed.
These modules can write audio data in unusual paths and manipulate system processes, making standard detection approaches difficult.
Predator’s design complicates detection because it injects code into critical system processes such as SpringBoard and mediaserverd.
It relies on Mach exception-based hooks rather than conventional inline hooks, making traditional endpoint protection and firewall software insufficient to detect malicious activity.
Behavioral indicators, such as unexpected creation of audio files or sensor activity updates that fail to trigger UI notifications, are key signs that defenders should monitor.
Observing memory mappings, exception ports, and thread state changes in system processes can also reveal signs of compromise.
Predator shows how commercial spyware can use AI tools and system-level access to perform sophisticated surveillance on iOS devices.
Users and security teams should understand the persistence techniques used by Predator and monitor devices for subtle anomalies in sensor activity.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
