iPhone at risk, Predator spyware can render itself invisible

Apple devices have long enjoyed a solid reputation for security and user privacy, however the recent findings by researchers at the software company Jamf paint a decidedly alarming picture.

The commercial spyware Predator, developed by the surveillance company Intellexa (currently sanctioned by U.S. authorities), has proven capable of bypassing one of the most well-known visual alert mechanisms in Apple’s operating systems.

Predator spyware, here’s how it renders itself invisible to the user

Starting with iOS 14, the California-based company introduced visual indicators on the status bar, a green dot for the camera and an orange one for the microphone, designed precisely to signal at a glance the activation of the sensors.

The malicious software in question manages to completely hide these indicators, covertly transmitting audio and video streams to its operators without raising the slightest suspicion.

This particular capability does not derive from exploiting an as-yet-unknown vulnerability in the operating system to conceal the interface, but rather from using a deeper system privileges access, previously obtained through other flaws or extremely sophisticated infection mechanisms that do not require any interaction from the victim.

Security experts have thoroughly analyzed malware samples to understand the complex logic behind this invisibility. The technique is based on a specific software hooking function, inserted inside SpringBoard, the essential component that manages the home screen and the user interface of Apple’s mobile devices.

The malicious code intercepts any variation in sensor activity even before the information can travel to the level of the interface visible on screen. Specifically, the malware invalidates the object responsible for communicating status updates.

By making the data target appear null, the operating system silently ignores calls that would otherwise turn on the warning lights. Since this single element aggregates all sensor communications, its invisible manipulation simultaneously turns off both the camera alert and the microphone alert.

During investigations, researchers also identified portions of deprecated code, a sign of previous attempts to directly disable the visual indicator manager, a path presumably discarded in favor of this far more stealthy and effective structural approach.

Advanced techniques to evade detection

The malware’s action is not limited to direct control of traditional hardware, but also extends to call recordings made over Internet protocols.

The VoIP spying module does not possess its own independent system to suppress alerts, therefore it relies entirely on the main concealment function to maintain absolute secrecy of operations.

Regarding camera access, this is granted by a separate component that identifies internal instructions using advanced techniques of code recognition and redirection of authentication pointers, in order to bypass the strict permission checks imposed by iOS.

With the essential status bar indicators removed, the phone user remains completely unaware of the deep surveillance underway.

Only a thorough technical investigation of the device logs can reveal signs of infection, bringing to light anomalous processes in the system, writes to audio files in unusual paths, or unwarranted memory mappings that impair the normal operation of the terminal.