Predator spyware bypasses iOS camera and microphone indicators
Feb 22nd 2026
Jamf Threat Labs reverse engineered Predator iOS samples and found a single hook that suppresses both the green camera and orange microphone status dots by nulling the Objective-C self pointer. The technique requires prior kernel-level compromise and code injection into system processes and does not represent a new iOS vulnerability.
- A single hook on SBSensorActivityDataProvider._handleNewDomainData: sets the Objective-C self pointer to NULL so sensor updates are silently dropped and status dots never appear.
- The technique requires a full device compromise, including kernel-level access and code injection into SpringBoard and mediaserverd, and is not a new iOS vulnerability.
- One hook suppresses both camera and microphone indicators by intercepting sensor data at the provider before it reaches the UI layer.
- The VoIP recording module lacks built-in indicator suppression and relies on operators enabling the HiddenDot module for stealth.
- Detection should focus on unexpected code injection into system processes, non-system Mach exception handlers, thread state modifications, and mismatches between actual sensor use and visible indicators.