The tiny green and orange dots on your iPhone are supposed to protect you.But new research shows they can be silenced.Reports from security outlets show that Intellexa’s Predator spyware can suppress Apple’s built-in camera and microphone indicators on compromised devices.
This technique works after attackers gain deep system access, allowing them to quietly override the visual alerts users trust to signal recording activity.Featured Partners Advertisement TechRepublic is able to offer our services for free because some vendors may pay us for web traffic or other sales opportunities.Our mission is to help technology buyers make better purchasing decisions, so we provide you with information for all vendors — even those that don’t pay us.
1 ESET PROTECT Advanced Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Any Company Size Any Company Size Features Activity Monitoring, Antivirus, Blacklisting, and more 2 ManageEngine Desktop Central Visit Website Company Size Employees per Company Size Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+) Any Company Size Any Company Size Features Activity Monitoring, Antivirus, Dashboard, and more Jamf details how Predator disables recording indicators BleepingComputer reported that researchers at Jamf analyzed Predator samples and uncovered how the spyware bypasses Apple’s recording indicators.Apple introduced colored status bar indicators in iOS 14 to alert users when apps access sensitive sensors.A green dot signals camera use, and an orange dot signals microphone activity.
“According to Jamf, Predator hides all recording indicators on iOS 14 by using a single hook function (‘HiddenDot::setupHook()’) inside SpringBoard, invoking the method whenever sensor activity changes (upon camera or microphone activation),” BleepingComputer wrote.The outlet further reported that the targeted system method is triggered whenever camera or microphone activity changes.By intercepting that call, Predator prevents updates from reaching the interface, ensuring the status bar indicator never appears.
Jamf Threat Labs made clear that their work documents post-compromise behaviors, not a newly discovered iOS vulnerability.“This research is malware analysis documenting how already-deployed commercial spyware (Predator) operates post-compromise,” Jamf stated.“It is not a vulnerability disclosure,” the authors added.
Jamf’s analysis explains that the spyware interferes with the system component responsible for tracking camera and microphone activity inside SpringBoard.By nullifying that component, iOS silently ignores activation events, so the colored dots never appear, even while recording.BleepingComputer also noted that researchers found unused code that attempted to disable the recording indicator through a different method.
While Apple didn’t comment on the findings, the publication believes that this was likely an earlier development approach that was later abandoned.Must-read security coverage UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case Blackpoint Cyber vs.Arctic Wolf: Which MDR Solution is Right for You? How GitHub Is Securing the Software Supply Chain 8 Best Enterprise Password Managers No new iOS flaw, but deeper compromise concerns Jamf emphasized that the method requires a device to be fully compromised, including kernel-level access and the ability to inject code into system processes.
The researchers explained that they didn’t find new vulnerabilities in current versions of iOS.Jamf’s analysis shows that Predator uses Objective-C nil messaging to suppress sensor activity updates and relies on a single hook that simultaneously disables both the camera and microphone indicators.The spyware can also record VoIP calls, but unlike its camera and microphone suppression, this capability lacks built-in stealth.
Even if privacy indicators are suppressed, investigators may still spot signs of compromise.Jamf also said that unexpected memory mappings in SpringBoard or mediaserverd, breakpoint-based hooks, and unusual audio file paths created by system processes could indicate malicious activity.Learn how Apple addressed CVE-2026-20700, a zero-day vulnerability exploited in sophisticated attacks.
Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday Subscribe to the Cybersecurity Insider Newsletter Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.Delivered every Monday, Tuesday and Thursday
Read More
