Cyber: Predator Spyware Hooks Ios Springboard To Hide Mic, Camera Activity

Intellexa’s Predator spyware can hide iOS recording indicators while secretly streaming camera and microphone feeds to its operators.

The malware does not exploit any iOS vulnerability but leverages previously obtained kernel-level access to hijack system indicators that would otherwise expose its surveillance operation.

Apple introduced recording indicators on the status bar in iOS 14 to alert users when the camera or microphone is in use, displaying a green or an orange dot, respectively.

US-sanctioned surveillance firm Intellexa developed the Predator commercial spyware and delivered it in attacks that exploited Apple and Chrome zero-day flaws and through 0-click infection mechanisms.

While its ability to suppress camera and microphone activity indicators is well known, it was unclear how the mechanism worked.

According to Jamf, Predator hides all recording indicators on iOS 14 by using a single hook function (‘HiddenDot::setupHook()’) inside SpringBoard, invoking the method whenever sensor activity changes (upon camera or microphone activation).

By intercepting it, Predator prevents sensor activity updates from ever reaching the UI layer, so the green or red dot never lights up.

“The target method _handleNewDomainData: is called by iOS whenever sensor activity changes - camera turns on, microphone activates, etc.,” Jamf researchers explain.

“By hooking this single method, Predator intercepts ALL sensor status updates before they reach the indicator display system.”

The hook works by nullifying the object responsible for sensor updates (SBSensorActivityDataProvider in SpringBoard). In Objective-C, calls to a null object are silently ignored, so SpringBoard never processes the camera or microphone activation, and no indicator appears.

Source: BleepingComputer