Behind the recording light: how Predator hides the activity of the camera and microphone in iOS 14

From iOS 14, Apple added two simple but very useful visual signals to the state bar: a green point when the camera is in use and an orange point when the microphone is recorded. The idea was to provide the user with an immediate confirmation that a sensor is active, a form of basic protection against unwanted access to the camera and audio of the phone. Those little lights are designed to be a clear and difficult warning to ignore. but researchers have shown that they are not infallible to advanced threats.

The commercial spyware manufacturer Intellexa, known for its Predator product and for having been linked to attacks that took advantage of zero-day failures in different ecosystems, developed a mechanism for that indicator not to be turned on even if the camera or microphone is being used. It is important to note that, according to the most recent technical analysis, Predator does not directly exploit a vulnerability of iOS to nullify light; instead, it operates from prior access to the kernel level, which allows you to modify system components that control the interface.

The analysis published by Jamf researchers provides the most clear technical description to date of how this deception is executed. According to Jamf, Predator inserts a "hole" - an interception of the execution - into SpringBoard, the process that handles the start screen and most of the visual elements of the system. Specifically, malware intercepts the call iOS makes when changing the sensor status (e.g. when the camera or microphone is activated) and prevents that information from reaching the subsystem in charge of drawing the indicators on the status bar. The Jamf post details this behavior and serves as a technical reference: Jamf analysis of the recording indicator bypass.

The technique takes advantage of how Objective-C is implemented in iOS: one of the intercepted functions leaves null the instance that provides the activity data of the sensors (the object known as SBSensorActivityDataProvider). In Objective-C, sending a message to a null reference is quietly ignored, so SpringBoard never processes notification that the camera or microphone has been activated and therefore the green or orange point does not appear. It is an "above" intervention in the state reporting chain: when cutting the signal at its origin, it is prevented that the system shows any visual trace. For those who want to review the Object-C messaging documentation, Apple maintains technical information on how messages are being sent to nil: message behavior in Objective-C.

Jamf's work also found inactive code that seemed to try another way: to directly link the indicator manager (SBRecordingIndicatorManager). That path was apparently discarded by spyware developers in favor of the approach that acts more "upstream" and that covers all sensors more reliably. Another interesting piece is that the VoIP recording module does not incorporate its own indicator deletion mechanism, so it depends on the same interceptive function to keep the secret.

To get access to the camera, Predator is not limited to using public APIs: it uses modules that seek internal functions of the camera by matching ARM64 command patterns and redirect executions by drawing on measures such as the Pointer Authentication Code (PAC). These advanced techniques allow you to avoid the conventional permission controls Apple applies to apps. The use of pointer instruction and redirection patterns is a sophisticated mechanism that requires knowledge of the hardware and the iOS binary.

Although avoiding the light of activity is perhaps the most striking part, forensic analysis reveals other signs of commitment that security teams can detect: unexpected memory mapping in critical processes such as SpringBoard and mediaserverd, unusual emergency ports, break point-based hooks and audio files written by system processes on atypical routes. Jamf describes these traces and offers clues for detection in managed environments.

The dissemination reached the technical press and specialized sites that have summarized the practical implications. BleepingComputer, for example, collected the research and contacted Apple for comments on the findings: Coverage in BleepingComputer. Apple, for its part, introduced in iOS 14 the recording signals as part of a package of news aimed at user privacy and security; the company described those improvements by announcing iOS 14: iOS 14 and new privacy features.

What practical conclusions are derived from this for the average user? First, the lights in the state bar are a useful but not infallible barrier to actors with advanced capabilities and deep access to the device. The most real risk comes when an attacker already has low-level (kernel) privileges on the team, because from there it can alter the system's behavior in ways that a simple appearance update cannot fix if persistence is not eliminated. Second, commitment signals often leave technical traces that management and defence tools can and should look for; therefore mobile device management companies (MDM) and incident response teams read and analyse symptoms such as unusually mapped memory processes or critical service modifications.

In terms of prevention, keeping the system up to date and applying patches is necessary but may not be sufficient if a privilege explosion has already been implemented. Therefore, best practices pass by combining regular updates, management policies and active monitoring of the device, and caution against unknown links or files. For organizations and users at high risk, using managed detection solutions and professional forensic analysis in case of suspicion is a sensible measure.

The case of Predator is a strong reminder of the complexity of the commercial surveillance ecosystem. While the platforms introduce visible and useful privacy improvements, actors capable of operating at the kernel level and of handling internal components of the system can find ways to overcome these protections. The response requires both technical measures by the developers of operating systems and public policies that regulate the sale and use of intrusion tools.

If you want to go into the original technical report, the publication of Jamf is the best starting point: detailed analysis of Jamf. For a more general reading of the news and its context, the note in BleepingComputer contains the key points: summary in BleepingComputer. Finally, Apple's explanation of the privacy improvements in iOS 14 can be found in its official release: iOS 14: privacy.