What happened
Researchers discovered that the commercial Predator spyware, developed by Intellexa, can suppress camera and microphone recording indicators on compromised iPhones by hooking into the iOS SpringBoard process and intercepting sensor activity updates. The spyware uses a function called HiddenDot to nullify the SBSensorActivityDataProvider object responsible for reporting sensor activity, preventing the green or orange privacy indicator dots from appearing when the camera or microphone is active. This enables Predator to secretly stream audio and video without alerting the user, while additional modules use kernel-level access, ARM64 instruction pattern matching, and Pointer Authentication Code redirection to enable surveillance and bypass camera permission checks.
Who is affected
Users of compromised iPhones infected with Predator spyware are affected, as the malware can secretly access camera and microphone sensors while hiding the system’s visual recording indicators designed to alert users to surveillance activity.
Why CISOs should care
The ability of Predator spyware to suppress privacy indicators demonstrates how advanced surveillance malware can conceal active monitoring of compromised mobile devices, enabling covert data collection without visible signs to users or administrators.
3 practical actions
- Monitor mobile devices for forensic indicators. Watch for unusual memory mappings, exception ports, or abnormal processes in SpringBoard or mediaserverd.
- Investigate suspicious surveillance activity. Identify unexpected audio files or sensor activity linked to compromised devices.
- Track advanced spyware threats. Analyze mobile device behavior to detect hidden sensor access or surveillance activity.