惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
WordPress大学
WordPress大学
博客园 - 【当耐特】
Engineering at Meta
Engineering at Meta
IT之家
IT之家
Apple Machine Learning Research
Apple Machine Learning Research
小众软件
小众软件
美团技术团队
S
SegmentFault 最新的问题
The GitHub Blog
The GitHub Blog
Martin Fowler
Martin Fowler
Recorded Future
Recorded Future
H
Help Net Security
aimingoo的专栏
aimingoo的专栏
Y
Y Combinator Blog
博客园_首页
A
About on SuperTechFans
MongoDB | Blog
MongoDB | Blog
阮一峰的网络日志
阮一峰的网络日志
V
Visual Studio Blog
D
DataBreaches.Net
人人都是产品经理
人人都是产品经理
大猫的无限游戏
大猫的无限游戏
B
Blog
The Register - Security
The Register - Security
I
InfoQ
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
雷峰网
雷峰网
Last Week in AI
Last Week in AI
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
Blog — PlanetScale
Blog — PlanetScale
N
Netflix TechBlog - Medium
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
有赞技术团队
有赞技术团队
Stack Overflow Blog
Stack Overflow Blog
Jina AI
Jina AI
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News - Newest:
Hacker News - Newest: "LLM"
U
Unit 42
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
W
WeLiveSecurity
Latest news
Latest news
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
博客园 - 叶小钗
L
Lohrmann on Cybersecurity
博客园 - Franky
Recent Commits to openclaw:main
Recent Commits to openclaw:main
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Jamf Blog

Jamf Nation Live 2026 London and Berlin: AI Governance and DDM 5 Mac Security Gaps Hiding in Your Apple Fleet Classroom Management Tools and Student Learning Outcomes Mobile forensics, minutes not weeks Turn Security Signals into Action with Jamf and Amplifier Security Strengthen Jamf Zero Trust Network Access With Dedicated Internet Gateway Jamf AI Assistant Now Available: Smarter Apple Device Management and Security MacBook Neo: The New Enterprise Entry Point for Mac at Scale Boost Employee Productivity in the Enterprise with Jamf Platform Authentication and Declarative Device Management: The Future of Apple Management Automation for Small IT Teams: Save Time Managing Macs What a lower-cost MacBook Neo means for education Where Apple Meets the Enterprise: Jamf’s Interoperability Advantage for Secure, Automated Access Control Simplify access, secure your apps: why SSO matters for K-12 Inside Predator’s kernel engine RSA Conference 2026 recap: AI security, enterprise mobile security and the shift to connected security platforms ClickFix technique uses Script Editor instead of Terminal on macOS Why Mac configurations fall out of sync — and how to fix them G2 names Jamf in its 2026 Best Software Awards across three categories Empowering Mac users: How Jamf Self Service+ reduces tier one support overhead for enterprise IT teams Privacy by default, flexible when required: introducing limited privacy in Jamf Safe Internet From arrival to discharge: how iOS is reimagining the healthcare journey Federated Identity Management for K-12 Education Identity and access management in K-12 schools OpenClaw: the helpful AI that could quietly become your biggest insider threat Get Started with Scripting Series: macOS Terminal, Scripting and Jamf Pro API Managing Apple devices at Black Hat Europe with Jamf Scaling device deployments without scaling your IT team Making Mac work in a PC world The hidden costs of manual device provisioning Threat Actors Expand Abuse of Microsoft Visual Studio Code Mac management and security for lean IT teams Automated certificate management and device security integration The hidden risks in your mobile apps “Mac in 2026: Secure by Design Meets the Enterprise” webinar Jamf named a Unified Endpoint Management leader…again! Jamf recognized as a Leader in 2026 Gartner® Magic Quadrant™ for Endpoint Management Tools Predator’s kill switch: undocumented anti-analysis techniques in iOS spyware 2026: what to expect in tech Retail runs on iOS: Let’s take a tour through Jamf’s booth at NRF 2026 From ClickFix to code signed: the quiet shift of MacSync Stealer malware Jamf After Dark: How WorkBrew solves Homebrew security and compliance for Mac developers Managing emerging technologies: A playbook for modern IT leaders How schools can maximize learning using Apple devices and Jamf Practical intelligence: why it matters for enterprise teams Jamf Connect Q&A Jamf After Dark October recap: platform progress, identity shifts and security insights Powering managed virtualization and Windows app delivery in Mac-first enterprises FlexibleFerret malware continues to strike Managing Jamf configuration with Terraform and GitOps workflows Back to security basics: phishing Introducing the Jamf 140 Course HIMSS 2026 recap Introducing Beacon by Jamf Threat Labs GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer Android and Jamf: manage and secure your mobile fleet Social engineering in K-12 for beginners Jamf Nation Live 2026: Hands-On Apple Expertise Across Six Cities Developer Mode-as-a-Defense: How iOS Security Features Deter Nation-State Spyware Stop chasing passwords: how school IT can reduce reset tickets Bring Your Own Key (BYOK): Take Control of Your Encryption in Jamf Cloud DarkSword iOS Exploit Kit: 3 Lessons for Mobile Security Threat Labs Jamf Training Celebrates 20 Years of Apple IT Education and Certification Balancing Safety and Learning: K-12 Content Filtering for IT Admins Why Mac security updates take too long and how to fix it Why the Jamf platform is the natural foundation for MSPs Jamf After Dark: mobile forensics Introducing the redesigned Mac threat prevention. Now available in beta.  Beyond access: rethinking the complete Apple deployment strategy for education Gain faster updates and real-time fleet visibility with DDM What the Canvas breach tells us about the state of education security Why K-12 students need web filtering that travels with their devices Jamf spotlighted in Okta Businesses at Work 2026 Report Jamf Nation Live 2026 recap MobiDash internals: ghost clicks and SSH tunnels in commercial adware Tech Partner Spotlight: Jamf + SmallStep MacBook Neo in K-12 Closing the gaps: How Jamf protects macOS and iOS with real-time threat prevention MSP engineering: The art of scoping in Jamf Pro at scale Mac in education is evolving. Jamf School makes it simple Why Apple devices deserve security built for them Seamless Learning Access: Simplicity that puts learning first Reducing IT firefighting: Fewer failed updates, less manual cleanup Apple WWDC26: Keynote recap How Jamf helps maximize your Microsoft investments MTE as a microscope WWDC26: Key takeaways for education institutions WWDC26: Key takeaways for Apple admins The JNUC 2026 session catalog is live — and the clock is ticking Jamf After Dark: Why we moved 1,900+ Apple devices back to Jamf AI governance for Mac: bringing AI under management AI Adoption Is High, Governance Is Lagging Klue Third-Party Cybersecurity Incident How Identity Automation, Claris, and Jamf Simplify Apple Workflows for Education What Is AI Governance? How Proactive Device Status Reporting Transforms Mac Fleet Visibility AI Governance on Mac: A Practical Guide for IT and Security Teams Restaurants Run on iOS: Jamf and IPORT at the NRA Show AI Governance on Mac: A Practical Guide for IT and Security Teams PamStealer: macOS Malware Posing as Clipboard Manager App
How Predator spyware defeats iOS recording indicators
Jamf Threat Labs · 2026-04-11 · via Jamf Blog

Jamf Threat Labs analyzes how a commercial spyware sample (Predator) operates post-compromise.

Mobile phone with a green dot moving on the top of the screen

Authors: Nir Avraham and Hu Ke

This research is malware analysis documenting how already-deployed commercial spyware (Predator) operates post-compromise.

It is not a vulnerability disclosure.

This research is not revealing a new iOS security flaw that requires patching, rather, it explains how existing spyware works after a device has already been compromised through other means (zero-days, etc.)

This research is intended to help defenders understand the threat and build detection capabilities.

Executive summary

Since iOS 14, Apple has displayed colored status bar indicators when apps access the camera (green dot) or microphone (orange dot) — a critical privacy feature designed to alert users to potential surveillance. This analysis documents how a sample of Predator spyware, developed by Intellexa/Cytrox, surgically defeats these indicators while conducting covert surveillance

The technique outlined in this analysis requires a device to first be fully compromised, including kernel-level access to install hooks and the ability to inject code into system processes. While such compromises have been paired with Predator in the past, this research uncovers no new vulnerabilities or exploitation techniques against the latest versions of iOS.

Through reverse engineering of Predator iOS samples, we have analyzed the malware’s previously undocumented technical mechanisms including:

  • Objective-C nil messaging exploitation to silently suppress sensor activity updates
  • A single hook that defeats both camera AND microphone indicators simultaneously
  • An operational gap where VoIP recording lacks built-in stealth capabilities
  • The specific iOS private framework APIs targeted by the spyware

Table of contents

  1. Background
  2. Technical analysis
  3. Detection considerations
  4. Conclusion
  5. Indicators of compromise
  6. References

Background

iOS recording indicators

Apple introduced recording indicators in iOS 14 (2020) as a privacy protection mechanism:

Table: Green dot indicator means that camera is in use (or the camera and microphone). Orange dog indicator means that the microphone only is in use

These indicators appear in the status bar and cannot be suppressed by legitimate applications. They are managed by SpringBoard, iOS's home screen and UI controller process, through private framework classes that monitor sensor activity.

The top of two iPhones. On the left, an orange dot indicates the microphone is in use. On the right, a green dot shows the camera (and potentially the microphone) is in use.

Figure 1: An orange dot indicates the microphone is in use (left) | A green dot shows the camera is in use (right)

Prior research: NoReboot

In January 2022, ZecOps (now part of Jamf) published research on "NoReboot" — a technique demonstrating how malware could simulate a device shutdown while maintaining surveillance capabilities. NoReboot worked by:

  1. Hijacking the shutdown event
  2. Injecting into SpringBoard and BackBoard daemons
  3. Blocking SpringBoard from launching (hiding all UI)
  4. Suppressing all physical feedback (screen, vibration, touch)

This created the illusion of a powered-off device while the camera and microphone remained active.

Predator's different approach

Predator takes a fundamentally different approach. Rather than simulating device shutdown, it selectively suppresses only the recording indicators while the device remains fully operational. This is more subtle — the victim’s phone works normally, but they receive no visual warning that surveillance is occurring.

Table listing how the device state, scope, user suspicion and complexity differ between NoReboot and Predator, the latter of shows fewer signs of compromise

Technical analysis

Component overview

Predator's helper module implements four independent capabilities:

List of modules/classes with their purpose

Each module is controlled via a simple command protocol:

  • X,A,args — Allocate/initialize module X
  • X,E,args — Execute command on module X
  • X,D — Delete/destroy module X

HiddenDot: the indicator suppression mechanism

Hook installation

The HiddenDot::setupHook() function targets SpringBoard's sensor activity data provider:

Screenshot of HiddenDot::setupHook()

Figure 2: HiddenDot::setupHook() targeting SBSensorActivityDataProvider._handleNewDomainData:

The target method _handleNewDomainData: is called by iOS whenever sensor activity changes — camera turns on, microphone activates, etc. By hooking this single method, Predator intercepts ALL sensor status updates before it can be rendered on screen, preventing the green and orange dots from ever appearing to the user.

The hook callback: Objective-C nil messaging exploitation

The actual suppression mechanism is elegantly simple. The decompiled callback shows the core logic:

Screenshot of HiddenDot callback pseudocode

Figure 3: HiddenDot callback pseudocode — sets the self pointer to NULL via **a2 = 0

At the assembly level, this translates to a single STR XZR instruction that writes zero to the thread state:

Screenshot of HiddenDot callback assembly

Figure 4: HiddenDot callback assembly — STR XZR, [X8] zeroes the x0 register in thread state

This exploits a fundamental feature of Objective-C: messages sent to nil are silently ignored.

How it works

On ARM64, the calling convention places the self pointer in register x0. When an Objective-C method is called:

[SBSensorActivityDataProvider _handleNewDomainData:newData]

The registers are set up as:

  • x0 = self (the SBSensorActivityDataProvider instance)
  • x1 = _cmd (the selector)
  • x2 = newData (the domain data argument)

By setting x0 to 0 (NULL) before the method executes, the call becomes:

[nil _handleNewDomainData:newData]

In Objective-C, this simply returns nil/0 without executing any code. The sensor activity update is silently dropped — SpringBoard never learns that the camera or microphone became active, and no indicator appears.

Hook return values

The callback returns 2, which in DMHooker's exception-based hooking system means "continue execution with the modified thread state." The full enum:

Hook return values from 0 to 4; 2 indicates success

Single hook, dual suppression

A critical finding: this single hook suppresses both the green (camera) and orange (microphone) indicators. The SBSensorActivityDataProvider class aggregates all sensor activity before dispatching to the UI layer. By intercepting _handleNewDomainData:, Predator blocks updates for ALL sensor types with one hook.

This is more efficient than the alternative approach we found in dead code (see below), which would require separate hooks for each indicator type.

Dead code: the abandoned approach

During analysis, we discovered a function CSWatcherSpawner::TestHooker() that implements an alternative indicator suppression mechanism — one that directly hooks SBRecordingIndicatorManager:

Screenshot of dead code in TestHooker()

Figure 5: Dead code in TestHooker() showing abandoned SBRecordingIndicatorManager hooks — this function has zero cross-references

This function has zero cross-references — it's never called. It appears to be development/test code that was superseded by the more elegant SBSensorActivityDataProvider approach.

The abandoned approach would have required:

  1. Two separate hooks (one per method)
  2. Direct manipulation of indicator visibility
  3. Potential race conditions with the display system

The production approach via _handleNewDomainData: is cleaner — it stops the data at the source rather than fighting the UI system.

VoIP recording

The VoIP recording module has no indicator suppression capability. It only hooks audio processing functions:

Screenshot of Voip::setupHooks()

Figure 6: Voip::setupHooks() hooking AudioConverterNew and AudioConverterConvertComplexBuffer+52 — no indicator suppression code present

The audio capture pipeline extracts VoIP call audio by:

  1. Detecting sample rate from buffer sizes (16kHz, 24kHz, 32kHz, 44.1kHz, 48kHz)
  2. Converting float32 PCM to int16 using NEON SIMD instructions
  3. Downmixing from 4-channel to stereo
  4. Writing to file via ExtAudioFileWrite()

But there is no code to suppress the orange microphone indicator. The design implies one-time universal suppression, after which VoIP recording (and potentially camera capture) can run without triggering visible indicators.

CameraEnabler: PAC bypass for camera access

The CameraEnabler module uses a different technique — PAC (Pointer Authentication Code) redirection:

Target discovery via pattern matching

Rather than hooking a known symbol, CameraEnabler locates its target function through ARM64 instruction pattern matching:

Screenshot of CameraEnabler::findFunctionAddress()

Figure 7: CameraEnabler::findFunctionAddress() using memmem() to search for ARM64 prologue pattern near FigVideoCaptureSourceCreateWithSourceInfo

This technique allows Predator to find internal functions that aren't exported symbols, making the hook more resilient to iOS updates that might rename or reorganize exports.

Hook callback: conditional PAC redirect

The CameraEnabler callback checks the thread state and conditionally redirects execution:

CameraEnabler callback pseudocode

Figure 8a: CameraEnabler callback pseudocode

CameraEnabler callback graph

Figure 8b: CameraEnabler callback control flow graph

Return value 3 instructs DMHooker to redirect execution using a pre-signed return address from its PAC cache, effectively bypassing the camera access check.

Detection considerations

Process injection artifacts

Predator's hooks require code injection into system processes:

  • SpringBoard (for HiddenDot)
  • mediaserverd (for CameraEnabler and VoIP)

Detection approaches:

  • Monitor for unexpected memory mappings in system processes
  • Check for exception port registration by non-system code
  • Analyze thread states for breakpoint instructions at unexpected locations

Hook detection

The DMHooker framework uses Mach exception-based hooking rather than traditional inline hooks. Detection requires:

  • Enumerating exception ports for system processes

  • Checking for EXC_BREAKPOINT handlers pointing to non-system code

  • Monitoring for thread_set_state calls that modify register contents

Behavioral indicators

  • Camera or microphone usage without corresponding indicator
  • ExtAudioFileWrite calls from mediaserverd to unusual paths
  • SpringBoard receiving sensor activity notifications but not updating UI

Conclusion

This research documents a technical analysis of Predator's iOS recording indicator bypass mechanisms. These findings fill gaps in existing threat intelligence and demonstrate the sophisticated post-exploitation techniques employed by commercial spyware to evade iOS privacy protections.

Key findings include:

  1. Objective-C nil messaging exploitation: A single hook on SBSensorActivityDataProvider._handleNewDomainData: defeats both camera and microphone indicators by setting the self pointer to NULL.
  2. Modular architecture without automatic stealth: The VoIP recording module lacks built-in indicator suppression, requiring operators to manually activate HiddenDot first.
  3. ARM64 pattern matching for target discovery: CameraEnabler locates internal framework functions through instruction pattern matching rather than symbol resolution.
  4. Dead code reveals development history: Abandoned SBRecordingIndicatorManager hooks show the evolution from direct UI manipulation to the cleaner data-source interception approach.

Indicators of compromise

Hooked methods

  • SBSensorActivityDataProvider._handleNewDomainData: (SpringBoard)
  • Function at pattern offset in CMCapture.framework (mediaserverd)
  • AudioConverterNew (mediaserverd)
  • AudioConverterConvertComplexBuffer+52 (mediaserverd)

Target processes

  • SpringBoard
  • mediaserverd

Framework paths

  • /System/Library/PrivateFrameworks/CMCapture.framework/CMCapture
  • /System/Library/PrivateFrameworks/AudioToolboxCore.framework/AudioToolboxCore

References

  1. Jamf Threat Labs, "NoReboot: Faking an iPhone Restart," January 2022
  2. Jamf Threat Labs, "Predator's kill switch: undocumented anti-analysis techniques in iOS spyware", January 2026
  3. Google Threat Analysis Group, "Buying Spying: Insights into Commercial Surveillance Vendors," February 2024
  4. Apple Developer Documentation, " About App Privacy Report " December 2025
  5. Google Threat Intelligence Group “Sanctioned but Still Spying: Intellexa’s Prolific Zero-Day Exploits Continue”, December 2025

Dive into more Jamf Threat Labs research on our blog.