Predator Spyware Conceals Microphone and Camera Use on iPhones
Intellexa’s Predator spyware has been found capable of hiding indicators that reveal when an iPhone’s camera or microphone is actively being used, effectively allowing for secret surveillance. This capability doesn’t rely on exploiting vulnerabilities within iOS itself, but rather on leveraging existing kernel-level access to manipulate system indicators.
How Predator Operates
Apple introduced recording indicators in iOS 14 – a green dot for camera use and an orange dot for microphone use – to provide users with transparency regarding their device’s sensor activity. However, Predator circumvents this security feature by intercepting the signals that trigger these indicators.
Technical Details of the Concealment
Researchers at Jamf analyzed Predator samples and discovered that the spyware utilizes a single hook function, ‘HiddenDot::setupHook()’, within the SpringBoard application. This function is invoked whenever sensor activity changes, such as when the camera or microphone is activated. By intercepting this process, Predator prevents the updates from reaching the user interface, thus preventing the appearance of the green or orange dots.
Specifically, Predator targets the method ‘_handleNewDomainData:’, which iOS uses to communicate sensor activity changes. By “hooking” this method, the spyware intercepts all sensor status updates before they can trigger the visual indicators. The hook works by nullifying the object responsible for sensor updates (SBSensorActivityDataProvider in SpringBoard). Calls to a null object are silently ignored, effectively disabling the indicators.
While earlier attempts to directly manipulate the ‘SBRecordingIndicatorManager’ were found in the code, they were abandoned in favor of the more effective upstream interception method.
Additional Stealth Tactics
For VoIP recordings, Predator lacks a dedicated indicator-suppression mechanism and relies on the ‘HiddenDot’ function to maintain stealth. The spyware employs ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection to bypass camera permission checks, enabling camera access through a separate module.
Detection and Indicators of Compromise
Jamf researchers note that while the spyware hides the visual indicators, technical analysis can reveal its presence through unexpected memory mappings, exception ports in SpringBoard and mediaserverd, breakpoint-based hooks, and unusual audio file paths created by mediaserverd.
Recent Developments and Usage
Predator, developed by the US-sanctioned surveillance firm Intellexa, has been linked to multiple instances of targeted surveillance. In February 2026, Amnesty International reported that a government customer of Intellexa used the spyware to hack the iPhone of a journalist in Angola, Teixeira Cândido, via malicious links sent through WhatsApp [TechCrunch]. Prior incidents have been identified in Egypt, Greece, and Vietnam, including targeting U.S. Officials.
Intellexa has a history of exploiting zero-day vulnerabilities in mobile browsers to install Predator surreptitiously on devices [Google Cloud Blog]. Google’s Threat Intelligence Group has identified Intellexa as responsible for 15 unique zero-day vulnerabilities since 2021, out of approximately 70 discovered by their team [Google Cloud Blog]. The spyware utilizes exploit chains combining vulnerabilities in WebKit, the iOS kernel, and CoreTrust to achieve remote infection and persistent execution [iVerify].
Despite being sanctioned by the US Government in 2024, Intellexa continues to operate and evade restrictions [Google Cloud Blog].
Further Information
More details on how Predator hides recording indicators can be found in the Jamf analysis: [BleepingComputer]
Related reading