Intellexa’s Predator spyware has gained the ability to operate completely under the radar on iOS devices by suppressing the visual indicators that normally alert users to camera and microphone access. This means the spyware can secretly stream audio and video without triggering the green or orange dots in the iOS status bar, a key privacy feature introduced with iOS 14.
The technique doesn’t rely on exploiting any new vulnerabilities within iOS itself. Instead, Predator leverages existing, previously established kernel-level access to intercept and manipulate system processes. This highlights a critical point: the spyware’s effectiveness hinges on initial compromise through other means, such as zero-day exploits or social engineering attacks, rather than a flaw in Apple’s core security.
Apple’s recording indicators – a green dot for camera access and an orange dot for microphone access – were designed to provide users with a clear visual cue when an app is actively using their device’s sensors. Predator circumvents this protection, effectively blinding the user to ongoing surveillance.
Researchers at Jamf Threat Labs recently detailed the mechanism behind this suppression. Their analysis reveals that Predator employs a single “hook” function, dubbed ‘HiddenDot::setupHook()’, within the SpringBoard application – the core of the iOS user interface. This hook intercepts sensor activity updates whenever the camera or microphone is activated.
“By intercepting it, Predator prevents sensor activity updates from ever reaching the UI layer, so the green or red dot never lights up,” Jamf researchers explained in their report. The hook targets the ‘_handleNewDomainData:’ method, which iOS calls whenever sensor activity changes. By intercepting this single method, Predator effectively silences all sensor status updates before they can trigger the visual indicators.
The method employed is remarkably efficient. Predator doesn’t directly tamper with the indicator display system itself. Instead, it nullifies the object responsible for managing sensor updates – ‘SBSensorActivityDataProvider’ within SpringBoard. In the Objective-C programming language used by iOS, attempting to call a method on a null object is silently ignored. This means SpringBoard never processes the camera or microphone activation signals, and no indicator appears.
Because ‘SBSensorActivityDataProvider’ handles all sensor activity, a single hook is sufficient to disable both the camera and microphone indicators simultaneously. Jamf’s research also uncovered remnants of an earlier, abandoned approach that attempted to directly hook ‘SBRecordingIndicatorManager,’ suggesting the current method is more effective and streamlined.
Interestingly, the module within Predator responsible for recording VoIP (Voice over Internet Protocol) calls lacks a dedicated indicator-suppression mechanism. It relies on the ‘HiddenDot’ function to maintain stealth during those recordings.
Beyond suppressing the indicators, Predator utilizes sophisticated techniques to gain camera access. Jamf’s analysis shows the spyware locates internal camera functions using ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection to bypass standard camera permission checks. This allows Predator to activate the camera even without explicit user consent.
The implications of this capability are significant. Without the visual cues provided by the status bar indicators, users are completely unaware that their camera and microphone are being accessed, leaving them vulnerable to covert surveillance. Jamf notes that technical analysis can reveal signs of the malicious processes, such as unexpected memory mappings or exception ports in SpringBoard and mediaserverd, breakpoint-based hooks, and audio files written to unusual locations by mediaserverd.
Predator has been linked to surveillance operations targeting politicians, activists, and journalists worldwide. The spyware’s parent company, Intellexa, was placed on the U.S. Commerce Department’s Entity List in July 2023, restricting its ability to conduct business with American entities due to national security concerns. Despite this, and recent reports suggesting a slowdown in its deployment, Predator remains active in several countries, including Pakistan, Mongolia, Angola, Saudi Arabia, and Kazakhstan.
Apple was contacted for comment on Jamf’s findings but did not respond.
