Intellexa’s Predator spyware can suppress iOS recording indicators to secretly stream camera and microphone feeds from infected devices. Jamf’s analysis shows Predator hooks SpringBoard’s sensor update path (HiddenDot::setupHook) to nullify SBSensorActivityDataProvider and prevent the green/orange dots from appearing, while using ARM64 pattern matching and PAC redirection to enable camera access. #Predator #Intellexa
Keypoints
- Predator hides iOS 14 camera and microphone indicators to conduct covert surveillance.
- The spyware intercepts a single SpringBoard method (HiddenDot::setupHook) to block sensor updates.
- Nullifying SBSensorActivityDataProvider causes SpringBoard to ignore camera/mic activation events.
- Camera access is achieved via ARM64 instruction pattern matching and PAC redirection to bypass permissions.
- Jamf identified forensic signs such as unusual memory mappings, exception ports, and breakpoint hooks.