How Predator Spyware Defeats iOS Recording Indicators

General
1

How Predator Spyware Defeats iOS Recording Indicators

Jamf Threat Labs published a technical analysis revealing how the Predator commercial spyware (developed by Intellexa/Cytrox) suppresses iOS camera and microphone recording indicators after a device has been compromised.

Key Details:

  • Since iOS 14, Apple displays a green dot (camera) and orange dot (microphone) in the status bar when sensors are active — Predator silently suppresses both.
  • The technique requires the device to already be fully compromised (kernel-level access); this research does not reveal any new iOS vulnerabilities.
  • Predator hooks SBSensorActivityDataProvider._handleNewDomainData: in SpringBoard, intercepting all sensor activity updates before they reach the UI.
  • The suppression mechanism exploits Objective-C nil messaging — by zeroing the x0 register (the self pointer), the method call becomes [nil _handleNewDomainData:], which silently does nothing.
  • A single hook suppresses both indicators, since SBSensorActivityDataProvider aggregates all sensor activity.
  • A separate CameraEnabler module uses ARM64 pattern matching and PAC (Pointer Authentication Code) bypass to gain covert camera access.
  • The VoIP recording module has no indicator suppression of its own, relying on the universal suppression already being active.

Why It Matters:
This research helps defenders and security teams understand the sophisticated post-exploitation techniques used by commercial spyware to silently bypass iOS privacy protections, enabling better detection capabilities.

2

What kind of company is Jamf? I’m glad they’re researching this stuff.

How to mitigate and prevent Predator spyware from infecting an iPhone? Is it installed via USB or clicking a link through iMessage or WhatsApp?

3

Lockdown mode.

2 Likes
4

They’re a mobile device management software company that also does additional security research.

1 Like
5

Does this survive device reboot?

6

Newer iPhones and iPads supposedly have the onscreen indicator rendered in a way that it’s protected from even kernel exploits:

https://theapplewiki.com/wiki/Secure_Indicator_Light

Not sure how that works though, and I can’t find any official documentation on it.

7

From this post here: Dan Herbert: "@Cykelero@mas.to Possibly similar to how Android …" - Mastodon

Dan Herbert theorizes that Secure Exclave gets priority in rendering before anything else. Not the gold standard of hardware to LED light but as close as you can get software wise.