How Predator spyware defeats iOS recording indicators

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.jamf.com/blog/predator-spyware-ios-recording-indicator-bypass-analysis/
• Blog Title: How Predator spyware defeats iOS recording indicators
• Suggested Section: Mobile Pentesting -> iOS Pentesting (new page/topic: SpringBoard/Mach-exception hooking & privacy indicator suppression) and/or Binary Exploitation -> iOS Exploiting (PAC-aware redirection / exception-based hooks)

🎯 Content Summary

Title: How Predator spyware defeats iOS recording indicators (Jamf Threat Labs, Feb 19, 2026)

Scope / what this is (and is not): This is reverse-engineering of a post-compromise iOS Predator (Intellexa/Cytrox) spyware sample. It documents how the spyware suppresses iOS 14+ privacy indicators (green dot = camera, orange dot = microphone). The authors explicitly state this is not a new iOS vulnerability disclosure🔧 Technical Details

Indicator suppression by nulling Objective-C self (nil messaging) at a central sensor-update choke point: If you already have code execution/injection inside SpringBoard, hook the private method SBSensorActivityDataProvider._handleNewDomainData: (invoked on sensor activity changes). On ARM64, Objective-C passes self in x0, _cmd in x1, and the first argument in x2. Modify the saved thread state so x0=0 before the method executes, transforming [obj _handleNewDomainData:newData] into [nil _handleNewDomainData:newData]. Because Objective-C messages to nil are silently ignored, the sensor update is dropped and the UI never renders camera/mic dots. The blog shows this can be done with a single store-zero instruction (STR XZR) applied to the stored register state.

Mach exception-based hooking (DMHooker) to...

🤖 Agent Actions

Summary:

• Expanded Predator post-compromise hook tradecraft details in src/binary-exploitation/ios-exploiting/README.md (HiddenDot nil-messaging suppression in SpringBoard, Mach exception hook semantics, PAC-aware redirect, VoIP capture pipeline), and added the Jamf blog to References. (jamf.com)

Tests: Not run.

Notes:

• Edits are intentionally scoped to the existing iOS exploiting page to avoid duplication while capturing the new techniques described by Jamf. (jamf.com)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.jamf.com/blog/predator-spyware-ios-recording-indicator-bypass-analysis/

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> iOS Pentesting (new page/topic: SpringBoard/Mach-exception hooking & privacy indicator suppression) and/or Binary Exploitation -> iOS Exploiting (PAC-aware redirection / exception-based hooks)".

Repository Maintenance:

• MD Files Formatting: 949 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0