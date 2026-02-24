Predator hijacks iOS camera and microphone indicators without user knowledge or consent

Kernel-level access enables Predator to inject code into critical iOS system processes

Predator suppresses visual recording indicators while maintaining persistent monitoring of devices

Apple may have introduced colored status bar indicators in iOS 14 to alert users when the camera or microphone is active, but experts have warned this does not stop all malware.

Spyware developed by Intellexa and Cytrox, dubbed Predator, can operate on compromised iOS devices without showing any camera or microphone indicators.

Predator bypasses the indicator by intercepting sensor activity updates before the system UI displays them, keeping users unaware of ongoing surveillance.

How Predator bypasses iOS privacy indicator

The malware does not exploit a new vulnerability, it requires previously obtained kernel-level access to hook system processes.

New research from Jamf Threat Labs has outlined how the spyware bypasses the iOS indicator by hooking the SpringBoard process, specifically targeting the _handleNewDomainData: method inside the SBSensorActivityDataProvider class.

This single hook nullifies the object responsible for passing sensor updates to the UI, preventing the green or orange dots from appearing when the camera or microphone is in use.

Previous methods, including direct hooks to the SBRecordingIndicatorManager, were abandoned in favor of this upstream interception, which is more efficient and less detectable.

Predator contains several modules that handle different aspects of surveillance, such as the HiddenDot module and the CameraEnabler module.

While the former suppresses visual indicators, the latter bypasses camera permission checks using ARM64 instruction pattern matching and Pointer Authentication Code, PAC, redirection.

This allows the malware to locate internal functions that are not publicly exposed and redirect execution without triggering standard iOS security alerts.

The spyware also captures VoIP audio through a separate module. Unlike HiddenDot, the VoIP recording module does not directly suppress microphone indicators, it relies on stealth techniques to remain unnoticed.

These modules can write audio data to unusual paths and manipulate system processes, making standard detection approaches difficult.

Predator’s design complicates detection because it injects code into critical system processes such as SpringBoard and mediaserverd.

It relies on Mach exception-based hooks rather than conventional inline hooks, which makes typical endpoint protection and firewall software insufficient to detect malicious activity.

Behavioral indicators, such as unexpected audio file creation or sensor activity updates that fail to trigger UI notifications, are key signs defenders must monitor.

Observing memory mappings, exception ports, and thread state changes in system processes can also reveal signs of compromise.

Predator shows how commercial spyware can use AI tools and system-level access to carry out sophisticated surveillance on iOS devices.

Users and security teams should understand the persistence techniques Predator uses and monitor devices for subtle anomalies in sensor activity.

