Predator spyware for iPhone is now in the spotlight after a new technical analysis from Jamf Threat Labs shows how advanced commercial spyware can bypass Apple’s security indicators and silently activate the camera and microphone.
New research from Jamf Threat Labs publicly demonstrates, for the first time, how commercial spyware can circumvent iPhone camera and microphone indicators and surveil devices without the user noticing. The report documents real-world use of Predator spyware and provides a rare, detailed look at how some of today’s most sophisticated mobile threats operate in practice.
On an iPhone, the screen normally displays a green or orange indicator when the camera or microphone is in use. While it has long been theoretically possible to bypass these signals, Jamf Threat Labs now provides the first technical analysis showing exactly how this can be achieved in practice.
“This is not a new iOS vulnerability that requires a security patch from Apple,” says Adam Boynton, Enterprise Strategy Manager, EMEA. “This malware analysis explains how already-installed spyware behaves after a device has been compromised. The report’s goal is to help defenders better understand the threat landscape and to build stronger detection capabilities for these kinds of attacks.”
The report explains how Predator spyware, developed by Intellexa/Cytrox, can suppress iOS security indicators while continuing to record from the camera and microphone — all while the device remains fully operational.
Key findings from the report include:
- A single technical manipulation disables both camera and microphone warnings: Predator simultaneously blocks the green camera dot and the orange microphone indicator by intercepting sensor data before it reaches the user interface, making the monitoring activity invisible to the user.
- Recording can proceed without system alerts: By manipulating internal iOS objects, Predator causes changes in recording status to be ignored entirely — with no error messages or visual cues presented to the user.
- Modular and stealthy design: Predator’s call-recording functionality does not contain code to turn off indicators itself; instead it relies on another module to perform that action. This modular approach signals an advanced architecture designed for stealth and flexibility.
- Advanced targeting of iOS internals: Jamf Threat Labs documents how Predator targets private iOS frameworks and leverages ARM64 techniques to secretly access the camera, including rerouting authenticated code execution paths.
“These types of attacks are extremely difficult for an individual user to detect. That’s why organizations must proactively manage security: keep operating systems up to date, restrict permissions, avoid unknown apps and links, and—most importantly—use solutions that continuously monitor device behavior. IT teams should watch for unusual activity, unexpected battery drain, or unexplained data traffic, as these can be early signs of device compromise,” Adam Boynton adds.
Full report available from Jamf: https://www.jamf.com/blog/predator-spyware-ios-recording-indicator-bypass-analysis/
About Jamf
Jamf’s mission is to simplify work for organizations by delivering an Apple experience users love and businesses can trust.
Jamf is the only company in the world that provides a complete management and security solution for Apple-first environments that is secure, user-friendly, and protective of personal privacy.