Jamf Analysis Finds Predator Spyware Uses Diagnostic Error Codes and Anti-Analysis Telemetry
New reverse-engineering by Jamf Threat Labs of an iOS Predator commercial spyware sample found previously undocumented anti-analysis and “deployment troubleshooting” capabilities that help operators understand why an infection attempt failed. The analysis describes an internal error-code taxonomy that reports specific failure conditions back to Predator’s command-and-control infrastructure, including error code 304 indicating the target device is running security or analysis tooling; Jamf assessed this turns failed deployments into actionable diagnostic events for operators rather than opaque failures.
Jamf also reported additional stealth and evasion features, including suppression of crash artifacts and mechanisms intended to hinder researcher analysis and user detection. Reported capabilities include checks for tools such as Frida and even utilities like netstat, suggesting Predator attempts to detect both professional analysis environments and privacy-conscious user behavior. Dark Reading highlighted that these telemetry and reporting behaviors imply Intellexa (Predator’s vendor) may have more visibility into, and potential control over, deployments than commercial spyware vendors typically claim, and noted other technical elements Jamf described such as crash reporting/monitoring and iOS SpringBoard hooking intended to conceal recording indicators.
Sources
Related Stories
Predator iOS Spyware Suppresses Camera and Microphone Recording Indicators via SpringBoard Hooking
**Jamf Threat Labs** reverse-engineered *Intellexa/Cytrox Predator* iOS spyware and documented how it defeats Apple’s iOS 14+ privacy indicators (green dot for camera, orange dot for microphone) while conducting covert surveillance. The analysis describes a **post-compromise** capability (not a new iOS vulnerability): Predator requires a device to already be fully compromised, including **kernel-level access** and the ability to inject code into system processes, after which it can silently stream camera and microphone feeds without triggering the on-screen indicators. Technically, Jamf found Predator uses a **single SpringBoard hook** (e.g., `HiddenDot::setupHook()`) to intercept sensor-activity updates before they reach the UI, targeting the method `_handleNewDomainData:` associated with `SBSensorActivityDataProvider`. By nullifying or suppressing the object/updates responsible for indicator state changes (including via Objective-C `nil` messaging behavior), Predator prevents the indicator dots from ever lighting up. Reporting on the research, *BleepingComputer* highlighted that the mechanism does not exploit an iOS flaw itself, but leverages previously obtained privileged access; Jamf also noted an operational limitation where **VoIP recording** may not have the same built-in stealth capability as the camera/microphone indicator bypass.
3 weeks ago
Mobile Threat Research Highlights iOS Exploit Framework and Emerging Android Trojan Campaigns
Security researchers reported a sophisticated iPhone exploitation framework dubbed **Coruna** that appears to have originated as a professionally developed, likely government-grade capability and later proliferated to foreign espionage and criminal actors. Analyses cited by Google’s Threat Intelligence Group and mobile security firm iVerify describe **five exploit chains** spanning **20+ vulnerabilities** affecting **iOS 13 through 17.2.1**, enabling delivery via malicious web content for device fingerprinting, remote code execution, and bypass of key iOS mitigations; the tool’s apparent usage trail includes alleged deployment by **Russian intelligence against Ukrainian targets** and subsequent adoption by a cybercrime group for cryptocurrency theft. Separate mobile-threat reporting detailed multiple **Android** campaigns and families emphasizing stealth, persistence, and credential theft. CloudSEK described a **RedAlert** trojanized app impersonating Israel’s Home Front Command alerting application, using a **multi-stage APK/DEX loader chain** (including an `assets/` payload) and UI mimicry while coercing high-risk permissions (e.g., Contacts, SMS, Location) and establishing C2. PolySwarm summarized **PromptSpy**, an Android RAT with VNC-based remote control that integrates **Google Gemini** to generate context-aware UI gesture instructions from screen XML dumps to improve persistence across device variants, distributed via a phishing site impersonating a bank portal and assessed as financially motivated (notably targeting Argentina). Zimperium separately profiled **ZeroDayRAT** as a modular Android spyware platform spread via social engineering and sideloading, supporting surveillance and financial theft (e.g., screen capture, keylogging, credential harvesting), underscoring continued escalation in mobile malware sophistication.
1 weeks ago
Technical Analysis of Malware Obfuscation and Packing Techniques (SnappyBee and GuLoader)
Darktrace published a technical walkthrough of unpacking and analyzing **SnappyBee** (aka **Deed RAT**), a modular backdoor previously reported in China-linked espionage activity attributed to **Salt Typhoon** (aka *Earth Estries*). The write-up describes SnappyBee as typically deployed **post-compromise** to establish persistence and enable follow-on tooling (including **Cobalt Strike** and the **Demodex** rootkit), and highlights its use of a **custom packing routine** intended to obscure the payload and hinder static analysis. Zscaler ThreatLabz detailed **GuLoader**’s evolving **obfuscation** methods designed to evade detection and frustrate reverse engineering. Techniques described include **polymorphic “dynamic constant construction”** (building constants at runtime via instruction sequences like `mov`, `xor`, `add`, `sub`) and **exception-based control-flow redirection** that replaces normal `jmp` logic with deliberately triggered CPU exceptions handled by custom exception handlers (e.g., `0x80000003` `STATUS_BREAKPOINT`, `0x80000004` `STATUS_SINGLE_STEP`, `0xC0000005` `STATUS_ACCESS_VIOLATION`), complicating automated tracing and signature-based detection.
1 months ago