Apple users are unaware as Predator spyware silently hijacks the camera and microphone using stealth methods that bypass all indicator warnings | Tech Radar

Overview

Apple users beware — this devious malware can hide its activity while it hijacks your camera and microphone

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Details

Predator hijacks i OS camera and microphone indicators without user knowledge or consent

Kernel-level access enables Predator to inject code into critical i OS system processes

Predator suppresses visual recording indicators while maintaining persistent monitoring of devices

Apple may have introduced colored status bar indicators in i OS 14 to alert users when the camera or microphone is active, but experts have warned this does not stop all malware.

Spyware developed by Intellexa and Cytrox, dubbed Predator, can operate on compromised i OS devices without showing any camera or microphone indicators.

Predator bypasses the indicator by intercepting sensor activity updates before the system UI displays them, keeping users unaware of ongoing surveillance.

'The AI model and prompt are predefined in the code and cannot be changed': Experts say Prompt Spy is the first known Android malware to use Gemini to ensure infection

Three billion Whats App users are at risk - an expert has developed a tool that could spy on everyone, and you would never know about it

New Mac OS malware exploits trusted AI and search tools

The malware does not exploit a new vulnerability, it requires previously obtained kernel-level access to hook system processes.

New research from Jamf Threat Labs has outlined how the spyware bypasses the i OS indicator by hooking the Spring Board process, specifically targeting the _handle New Domain Data: method inside the SBSensor Activity Data Provider class.

This single hook nullifies the object responsible for passing sensor updates to the UI, preventing the green or orange dots from appearing when the camera or microphone is in use.

Previous methods, including direct hooks to the SBRecording Indicator Manager, were abandoned in favor of this upstream interception, which is more efficient and less detectable.

Predator contains several modules that handle different aspects of surveillance, such as the Hidden Dot module and the Camera Enabler module.

While the former suppresses visual indicators, the latter bypasses camera permission checks using ARM64 instruction pattern matching and Pointer Authentication Code, PAC, redirection.

This allows the malware to locate internal functions that are not publicly exposed and redirect execution without triggering standard i OS security alerts.

'The AI model and prompt are predefined in the code and cannot be changed': Experts say Prompt Spy is the first known Android malware to use Gemini to ensure infection

Three billion Whats App users are at risk - an expert has developed a tool that could spy on everyone, and you would never know about it

New Mac OS malware exploits trusted AI and search tools

The spyware also captures Vo IP audio through a separate module. Unlike Hidden Dot, the Vo IP recording module does not directly suppress microphone indicators, it relies on stealth techniques to remain unnoticed.

These modules can write audio data to unusual paths and manipulate system processes, making standard detection approaches difficult.

Predator’s design complicates detection because it injects code into critical system processes such as Spring Board and mediaserverd.

It relies on Mach exception-based hooks rather than conventional inline hooks, which makes typical endpoint protection and firewall software insufficient to detect malicious activity.

Behavioral indicators, such as unexpected audio file creation or sensor activity updates that fail to trigger UI notifications, are key signs defenders must monitor.

Observing memory mappings, exception ports, and thread state changes in system processes can also reveal signs of compromise.

Predator shows how commercial spyware can use AI tools and system-level access to carry out sophisticated surveillance on i OS devices.

Users and security teams should understand the persistence techniques Predator uses and monitor devices for subtle anomalies in sensor activity.

Follow Tech Radar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow Tech Radar on Tik Tok for news, reviews, unboxings in video form, and get regular updates from us on Whats App too.

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a Ph D in sciences, which provided him with a solid foundation in analytical thinking.

You must confirm your public display name before commenting

1 Apple will build the Mac Mini in the US and you can probably thank AI

2 Founders of long-lost weather app Dark Sky return with a new forecast platform, and it’s already better than Apple’s unreliable flagship weather predictions

3 Microsoft says Open Claw is "not appropriate to run on a standard personal or enterprise workstation" — so should you be worried?

4 Multiple mental health apps riddled with high severity security flaws — data of millions put at risk, so be on your guard

5'If organizations focus only on short-term efficiency... they risk hollowing out the next generation of technical leaders': Microsoft execs say senior workers must mentor juniors to fix AI mistakes

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• Apple users beware — this devious malware can hide its activity while it hijacks your camera and microphone

• When you purchase through links on our site, we may earn an affiliate commission

• Predator hijacks i OS camera and microphone indicators without user knowledge or consent

• Kernel-level access enables Predator to inject code into critical i OS system processes

• Predator suppresses visual recording indicators while maintaining persistent monitoring of devices