How Predator Spyware Defeats iOS Recording Indicators

How Predator Spyware Defeats iOS Recording Indicators

Jamf Threat Labs published a technical analysis revealing how the Predator commercial spyware (developed by Intellexa/Cytrox) suppresses iOS camera and microphone recording indicators after a device has been compromised.

Key Details:

• Since iOS 14, Apple displays a green dot (camera) and orange dot (microphone) in the status bar when sensors are active — Predator silently suppresses both.
• The technique requires the device to already be fully compromised (kernel-level access); this research does not reveal any new iOS vulnerabilities.
• Predator hooks SBSensorActivityDataProvider._handleNewDomainData: in SpringBoard, intercepting all sensor activity updates before they reach the UI.
• The suppression mechanism exploits Objective-C nil messaging — by zeroing the x0 register (the self pointer), the method call becomes [nil _handleNewDomainData:], which silently does nothing.
• A single hook suppresses both indicators , since SBSensorActivityDataProvider aggregates all sensor activity.
• A separate CameraEnabler module uses ARM64 pattern matching and PAC (Pointer Authentication Code) bypass to gain covert camera access.
• The VoIP recording module has no indicator suppression of its own, relying on the universal suppression already being active.

Why It Matters: This research helps defenders and security teams understand the sophisticated post-exploitation techniques used by commercial spyware to silently bypass iOS privacy protections, enabling better detection capabilities.

jamf.com

How Predator Spyware Defeats iOS Recording Indicators

An analysis documenting how a commercial spyware sample, Predator, operates post-compromise.