{"id":25357,"date":"2026-03-20T15:40:14","date_gmt":"2026-03-20T11:40:14","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=25357"},"modified":"2026-03-27T22:31:06","modified_gmt":"2026-03-27T18:31:06","slug":"predator-spyware-ios-recording-indicator-bypass","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/predator-spyware-ios-recording-indicator-bypass\/25357\/","title":{"rendered":"Predator vs. iPhone: the art of invisible surveillance"},"content":{"rendered":"

Cybersecurity researchers have taken a close look<\/a> at the inner workings of the Predator spyware, developed by the Cyprus-based company Intellexa. Rather than focusing on how the spyware initially infects a device, this latest research zooms in on how the malware behaves once a device has already been compromised.<\/p>\n

The most fascinating discovery involves the mechanisms the Trojan uses to hide iOS camera and microphone indicators. By doing so, it can covertly spy on the infected user. In today\u2019s post, we break down what Predator spyware actually is, how the iOS indicator system is designed to work, and how this malware manages to disable these indicators.<\/p>\n

What Predator is, how it works, and what\u2026 Alien has to do with it<\/h2>\n

We previously took a deep dive into the most notorious commercial spyware out there in a dedicated feature \u2014 where we discussed the star of today\u2019s post, Predator, among the others. You can check out that earlier post<\/a> for a detailed review of this spyware, but for now, here\u2019s a quick refresher on the essentials.<\/p>\n

Predator was originally developed by a North Macedonian company named Cytrox. It was later acquired by the aforementioned Intellexa, a Cyprus-registered firm owned by a former Israeli intelligence officer \u2014 a truly international spy games collaboration.<\/p>\n

Strictly speaking, Predator is the second half of a spyware duo designed to monitor iOS and Android users. The first component is named Alien; it\u2019s responsible for compromising a device and installing Predator. As you might\u2019ve guessed, these pieces of malware are named after the famous Alien vs. Predator<\/a> franchise.<\/p>\n

An attack using Intellexa\u2019s software typically begins with a message containing a malicious link. When the victim clicks it, they\u2019re directed to a site that leverages a chain of browser and OS vulnerabilities to infect the device. To keep things looking normal and avoid raising suspicion, the user is then redirected to a legitimate website.<\/p>\n

Besides Alien, Intellexa offers several other delivery vehicles for landing Predator on a target\u2019s device. These include the Mars and Jupiter systems, which are installed on the service provider\u2019s side to infect devices through a man-in-the-middle<\/a> attack.<\/p>\n

Predator spyware for iOS comes packed with a wide array of surveillance tools. Most notably, it can record and transmit data from the device\u2019s camera and microphone. Naturally, to keep the user from catching on to this suspicious activity, the system\u2019s built-in recording indicators \u2014 the green and orange dots at the top of the screen \u2014 must be disabled. While it\u2019s been known for some time that Predator could somehow hide these alerts, it\u2019s only thanks to this research that we know how exactly it pulls it off.<\/p>\n

How the iOS camera and microphone indicator system works<\/h2>\n

To understand how Predator disables these indicators, we first need to look at how iOS handles them. Since the release of iOS 14 in 2020, Apple devices have alerted users<\/a> whenever the microphone or camera is active by displaying an orange or green dot at the top of the screen. If both are running simultaneously, only the green dot is shown.<\/p>\n

\"Microphone<\/a>

In iOS 14 and later, an orange dot appears at the top of the screen when the microphone is in use. Source<\/a><\/p><\/div>\n

Just like other iOS user interface elements, recording indicators are managed by a process called SpringBoard<\/a>, which is responsible for the device\u2019s system-wide UI. When an app starts using the camera or microphone, the system registers the change in that specific module\u2019s state. This activity data is then gathered by an internal system component, which passes the information to SpringBoard for processing. Once SpringBoard receives word that the camera or microphone is active, it toggles the green or orange dot on or off based on that data.<\/p>\n

\"Camera<\/a>

If the camera is in use (or both the camera and microphone are), a green dot appears. Source<\/a><\/p><\/div>\n

From an app\u2019s perspective, the process works like this: first, the app requests permission to access<\/a> the camera or microphone through the standard iOS permission<\/a> mechanism. When the app actually needs to use one or both of these modules, it calls the iOS system API. If the user has granted permission, iOS activates the requested module and automatically updates the status indicator. These indicators are strictly controlled by the operating system; third-party apps have no direct access to them.<\/p>\n

How Predator interferes with the iOS camera and microphone indicators<\/h2>\n

Cybersecurity researchers analyzed a captured version of Predator and uncovered traces of multiple techniques used by the spyware\u2019s creators to bypass built-in iOS mechanisms and disable recording indicators.<\/p>\n

In the first approach \u2014 which appears to have been used during early development \u2014 the malware attempted to interfere with the indicators at the display stage right after SpringBoard received word that the camera or microphone was active. However, this method was likely deemed too complex and unreliable by the developers. As a result, this specific function remains in the Trojan as dead code \u2014 it\u2019s never actually executed.<\/p>\n

Ultimately, Predator settled on a simpler, more effective method that operates at the very level where the system receives data about the camera or microphone being turned on. To do this, Predator intercepts the communication between SpringBoard and the specific component responsible for collecting activity data from these modules.<\/p>\n

By exploiting the specific characteristics of Objective-C \u2014 the programming language used to write the SpringBoard application \u2014 the malware completely blocks the signals indicating that the camera or microphone has been activated. As a result, SpringBoard never receives the signal that the module\u2019s status has changed, so it never triggers the recording indicators.<\/p>\n

How to lower your risk of spyware infection<\/h2>\n

Predator-grade spyware is quite expensive, and typically reserved for high-stakes industrial or state-sponsored espionage. On one hand, this means defending against such a high-tier threat is difficult \u2014 and achieving 100% protection is likely impossible. On the other hand, for these same reasons, the average user is statistically unlikely to be targeted.<\/p>\n

However, if you\u2019ve reason to believe you\u2019re at risk from Predator or Pegasus-class spyware, here are a few steps you can take to make an attacker\u2019s job much harder:<\/p>\n