Predator Spyware Hides iOS Recording Indicators via SpringBoard Hooking

First reported

21.02.2026 18:13

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Intellexa’s Predator spyware leverages kernel-level access to hook iOS SpringBoard and suppress camera and microphone activity indicators. The malware intercepts sensor activity updates, preventing the display of green or orange dots in the status bar. This allows Predator to operate stealthily, hiding its surveillance activities from users. The spyware exploits previously obtained kernel access rather than zero-day vulnerabilities.

Timeline

21.02.2026 18:13 1 articles · 6h ago

Predator Spyware Hides iOS Recording Indicators via SpringBoard Hooking
Researchers at Jamf analyzed Predator samples and documented how the spyware hides recording indicators on iOS 14. By hooking a single function in SpringBoard, Predator intercepts all sensor status updates before they reach the indicator display system. This prevents the green or orange dots from appearing in the status bar, allowing the spyware to operate stealthily. The analysis also revealed dead code that attempted to hook 'SBRecordingIndicatorManager' directly, which was likely abandoned in favor of the more effective upstream interception method.
Show sources

Predator spyware hooks iOS SpringBoard to hide mic, camera activity — www.bleepingcomputer.com — 21.02.2026 18:13
Open in new tab

Information Snippets

Predator spyware hooks the 'HiddenDot::setupHook()' function in SpringBoard to intercept sensor activity updates.
First reported: 21.02.2026 18:13

1 source, 1 article
Show sources
- Predator spyware hooks iOS SpringBoard to hide mic, camera activity — www.bleepingcomputer.com — 21.02.2026 18:13
The malware nullifies the SBSensorActivityDataProvider object, preventing sensor updates from reaching the UI layer.
First reported: 21.02.2026 18:13

1 source, 1 article
Show sources
- Predator spyware hooks iOS SpringBoard to hide mic, camera activity — www.bleepingcomputer.com — 21.02.2026 18:13
Predator supports VoIP recording but lacks a dedicated indicator-suppression mechanism for it.
First reported: 21.02.2026 18:13

1 source, 1 article
Show sources
- Predator spyware hooks iOS SpringBoard to hide mic, camera activity — www.bleepingcomputer.com — 21.02.2026 18:13
The spyware uses ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection to bypass camera permission checks.
First reported: 21.02.2026 18:13

1 source, 1 article
Show sources
- Predator spyware hooks iOS SpringBoard to hide mic, camera activity — www.bleepingcomputer.com — 21.02.2026 18:13
Technical analysis reveals signs of malicious processes, such as unexpected memory mappings and breakpoint-based hooks.
First reported: 21.02.2026 18:13

1 source, 1 article
Show sources
- Predator spyware hooks iOS SpringBoard to hide mic, camera activity — www.bleepingcomputer.com — 21.02.2026 18:13