iPhone Privacy Alert: Predator Spyware Can Hide Camera, Mic Indicators
The tiny green and orange dots on your iPhone are supposed to protect you. But new research shows they can be silenced.
Reports from security outlets show that Intellexa’s Predator spyware can suppress Apple’s built-in camera and microphone indicators on compromised devices. This technique works after attackers gain deep system access, allowing them to quietly override the visual alerts users trust to signal recording activity.
Jamf details how Predator disables recording indicators
BleepingComputer reported that researchers at Jamf analyzed Predator samples and uncovered how the spyware bypasses Apple’s recording indicators.
Apple introduced colored status bar indicators in iOS 14 to alert users when apps access sensitive sensors. A green dot signals camera use, and an orange dot signals microphone activity.
“According to Jamf, Predator hides all recording indicators on iOS 14 by using a single hook function (‘HiddenDot::setupHook()’) inside SpringBoard, invoking the method whenever sensor activity changes (upon camera or microphone activation),” BleepingComputer wrote.
The outlet further reported that the targeted system method is triggered whenever camera or microphone activity changes. By intercepting that call, Predator prevents updates from reaching the interface, ensuring the status bar indicator never appears.
Jamf Threat Labs made clear that their work documents post-compromise behaviors, not a newly discovered iOS vulnerability.
“This research is malware analysis documenting how already-deployed commercial spyware (Predator) operates post-compromise,” Jamf stated. “It is not a vulnerability disclosure,” the authors added.
Jamf’s analysis explains that the spyware interferes with the system component responsible for tracking camera and microphone activity inside SpringBoard. By nullifying that component, iOS silently ignores activation events, so the colored dots never appear, even while recording.
BleepingComputer also noted that researchers found unused code that attempted to disable the recording indicator through a different method. While Apple didn’t comment on the findings, the publication believes that this was likely an earlier development approach that was later abandoned.
No new iOS flaw, but deeper compromise concerns
Jamf emphasized that the method requires a device to be fully compromised, including kernel-level access and the ability to inject code into system processes. The researchers explained that they didn’t find new vulnerabilities in current versions of iOS.
Jamf’s analysis shows that Predator uses Objective-C nil messaging to suppress sensor activity updates and relies on a single hook that simultaneously disables both the camera and microphone indicators.
The spyware can also record VoIP calls, but unlike its camera and microphone suppression, this capability lacks built-in stealth.
Even if privacy indicators are suppressed, investigators may still spot signs of compromise. Jamf also said that unexpected memory mappings in SpringBoard or mediaserverd, breakpoint-based hooks, and unusual audio file paths created by system processes could indicate malicious activity.
Learn how Apple addressed CVE-2026-20700, a zero-day vulnerability exploited in sophisticated attacks.
About Author
