Silent Surveillance: How Predator Spyware Conceals Mic and Camera Activity on iOS SpringBoard

Predator Spyware Hooks iOS SpringBoard to Conceal Mic and Camera Activity

Intellexa’s Predator spyware has the capability to conceal iOS recording indicators while surreptitiously streaming camera and microphone feeds to its operators.

The malware does not exploit any vulnerabilities in iOS but rather utilizes previously acquired kernel-level access to manipulate system indicators that would typically expose its surveillance activities.

Apple introduced recording indicators on the status bar in iOS 14 to notify users when the camera or microphone is in use, denoted by a green or orange dot, respectively.

US-sanctioned surveillance firm Intellexa developed the Predator commercial spyware, deploying it through attacks that exploited Apple and Chrome zero-day flaws and 0-click infection methods.

While the spyware’s ability to suppress camera and microphone activity indicators is well-documented, the specific mechanism behind this functionality was previously unclear.

How Predator Conceals Recording Activity

Researchers at mobile device management company Jamf conducted an analysis of Predator samples, uncovering the process by which it hides privacy-related indicators.

According to Jamf, Predator conceals all recording indicators on iOS 14 by utilizing a single hook function (‘HiddenDot::setupHook()’) within SpringBoard, triggering the method whenever sensor activity changes (such as camera or microphone activation).

By intercepting this function, Predator prevents sensor activity updates from reaching the UI layer, thereby preventing the green or red dot from appearing.

“The target method _handleNewDomainData: is called by iOS whenever sensor activity changes – camera turns on, microphone activates, etc.,” explained Jamf researchers.

“By hooking this single method, Predator intercepts ALL sensor status updates before they reach the indicator display system.”

See also  Unleash Protocol: The $3.9M Heist by Hacker Hijackers

The hook functions by neutralizing the object responsible for sensor updates (SBSensorActivityDataProvider in SpringBoard). In Objective-C, calls to a null object are disregarded, preventing SpringBoard from processing camera or microphone activation and thus no indicator is displayed.

As SBSensorActivityDataProvider consolidates all sensor activity, this single hook disables both the camera and microphone indicators.

Additionally, researchers discovered “dead code” that attempted to hook ‘SBRecordingIndicatorManager’ directly. Although this does not execute, it likely represents an earlier development path that was abandoned in favor of the more effective approach that intercepts sensor data upstream.

For VoIP recordings supported by Predator, the associated module lacks an indicator suppression mechanism and relies on the HiddenDot function for stealth.

Jamf further explained that camera access is facilitated through a separate module that identifies internal camera functions using ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection to bypass camera permission checks.

With no indicators lighting up on the status bar, the spyware’s activities remain completely concealed from the average user.

Jamf highlighted that technical analysis reveals signs of malicious processes, such as unexpected memory mappings or exception ports in SpringBoard and mediaserverd, breakpoint-based hooks, and audio files written by mediaserverd to atypical paths.

BleepingComputer reached out to Apple for a comment on Jamf’s findings, but the company did not respond.