Predator iOS Spyware Suppresses Camera and Microphone Recording Indicators via SpringBoard Hooking
Jamf Threat Labs reverse-engineered Intellexa/Cytrox Predator iOS spyware and documented how it defeats Apple’s iOS 14+ privacy indicators (green dot for camera, orange dot for microphone) while conducting covert surveillance. The analysis describes a post-compromise capability (not a new iOS vulnerability): Predator requires a device to already be fully compromised, including kernel-level access and the ability to inject code into system processes, after which it can silently stream camera and microphone feeds without triggering the on-screen indicators.
Technically, Jamf found Predator uses a single SpringBoard hook (e.g., HiddenDot::setupHook()) to intercept sensor-activity updates before they reach the UI, targeting the method _handleNewDomainData: associated with SBSensorActivityDataProvider. By nullifying or suppressing the object/updates responsible for indicator state changes (including via Objective-C nil messaging behavior), Predator prevents the indicator dots from ever lighting up. Reporting on the research, BleepingComputer highlighted that the mechanism does not exploit an iOS flaw itself, but leverages previously obtained privileged access; Jamf also noted an operational limitation where VoIP recording may not have the same built-in stealth capability as the camera/microphone indicator bypass.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
BleepingComputer reports Apple did not comment on Jamf findings
After reporting on Jamf's analysis of Predator's iOS techniques, BleepingComputer said it requested comment from Apple and received no response. The follow-up did not introduce a new technical finding about the spyware itself but recorded Apple's lack of public comment at that time.
Jamf details Predator camera and audio modules plus detection artifacts
In the same research, Jamf described a CameraEnabler module that uses ARM64 instruction pattern matching and PAC-related redirection to bypass camera access checks, and a VoIP recording component that hooks audio conversion functions. Jamf also published detection considerations including Mach exception-based hooking, process injection artifacts, unusual memory mappings, and behavioral mismatches such as sensor use without corresponding indicators.
Jamf analyzes Predator's iOS indicator-suppression technique
Jamf Threat Labs documented how the Predator commercial spyware suppresses iOS 14+ camera and microphone recording indicators after a device is already fully compromised. The analysis found Predator injects into SpringBoard and hooks the private-framework method SBSensorActivityDataProvider._handleNewDomainData: to drop sensor-activity updates before the UI shows the green or orange dots.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Jamf Analysis Finds Predator Spyware Uses Diagnostic Error Codes and Anti-Analysis Telemetry
New reverse-engineering by **Jamf Threat Labs** of an iOS **Predator** commercial spyware sample found previously undocumented anti-analysis and “deployment troubleshooting” capabilities that help operators understand *why* an infection attempt failed. The analysis describes an internal **error-code taxonomy** that reports specific failure conditions back to Predator’s command-and-control infrastructure, including `error code 304` indicating the target device is running security or analysis tooling; Jamf assessed this turns failed deployments into actionable diagnostic events for operators rather than opaque failures. Jamf also reported additional stealth and evasion features, including suppression of crash artifacts and mechanisms intended to hinder researcher analysis and user detection. Reported capabilities include checks for tools such as **Frida** and even utilities like `netstat`, suggesting Predator attempts to detect both professional analysis environments and privacy-conscious user behavior. Dark Reading highlighted that these telemetry and reporting behaviors imply **Intellexa** (Predator’s vendor) may have more visibility into, and potential control over, deployments than commercial spyware vendors typically claim, and noted other technical elements Jamf described such as crash reporting/monitoring and iOS *SpringBoard* hooking intended to conceal recording indicators.
Mar 21, 2026
Apple iPhone and iPad Approved for NATO ‘Restricted’ Classified Data Handling
Apple announced that **standard iPhone and iPad devices** running **iOS 26** and **iPadOS 26** have been approved for handling NATO classified information up to the **“NATO Restricted”** level, meaning the devices no longer require special software or bespoke configurations for use in NATO restricted environments. The approval follows extensive security evaluation and testing, including assessments led by Germany’s **Federal Office for Information Security (BSI)**, and results in the devices being certified for use across **all NATO member states** and listed in the **NATO Information Assurance Product Catalogue**. Separately, research coverage reported that **Intellexa’s Predator spyware** can suppress iOS’s camera and microphone recording indicators (the green/orange “privacy dots”) on compromised devices by hooking into `SpringBoard` (e.g., via `HiddenDot::setupHook()`), preventing UI updates when sensors are activated. This Predator technique requires deep system access and is a distinct issue from NATO’s platform assurance decision, but it underscores that sophisticated spyware can undermine user-facing privacy signals even on iOS versions where those indicators are expected to provide transparency.
Mar 21, 2026
LightSpy iOS Spyware Expanded Into Destructive and Mobile Payment Attacks
Researchers reported that the **LightSpy** surveillance framework for iOS evolved from a modular implant into a broader mobile threat capable of both espionage and device disruption. Earlier analysis found the malware delivered through a malicious Safari/WebKit exploit chain, dropping a Mach-O payload disguised as a PNG, loading jailbreak-related components, and then deploying a modular Core over WebSockets. The implant supported devices up to iOS 13.3 and grew from 12 to as many as 28 plugins, enabling collection of messages, mail, files, location data, audio, camera output, and application data, while also simulating push notifications and interacting with multiple active C2 servers. Subsequent reporting said the platform was adapted for **mobile payment system attacks** and later highlighted a coordinated **kill-switch** capability in its iOS destructive plugin architecture. ThreatFabric had already identified seven destructive modules that could freeze devices or stop them from booting, indicating that LightSpy combined intelligence collection with sabotage options. Researchers also cited shared infrastructure and code overlap across LightSpy campaigns, exposed victim data on a poorly secured server, and development artifacts suggesting a likely China-linked operation with multiple developers behind the spyware.
May 27, 2026