A recent report from Jamf Threat Labs reveals how the commercial spyware tool “Predator” disables Apple’s iOS camera and microphone recording indicators on compromised devices, allowing for covert surveillance. The attack relies on a single hook to suppress both visual alerts in iOS, bypassing legitimate app protection mechanisms.
Here’s how it works: Predator targets an internal class within SpringBoard, specifically the _handleNewDomainData: method, which is invoked whenever sensor activity changes. By installing a hook on this method, Predator intercepts sensor updates and suppresses them before they reach the UI layer. This manipulation relies on a subtle abuse of Objective-C behavior.
The attack works by setting the self pointer to NULL in the thread state, effectively dropping the sensor update and preventing the recording indicator from appearing. A single STR XZR instruction zeroes out the relevant register, instructing the underlying DMHooker framework to continue execution with the modified register state.
This report highlights Predator’s sophisticated post-exploitation capabilities, combining Objective-C runtime quirks, ARM64 internals, and PAC-aware redirection to evade built-in privacy safeguards. While no new iOS vulnerability is disclosed, it provides concrete indicators of compromise for iPhone users.
To minimize risk, users are advised to upgrade to the latest iOS version and consider enabling Lockdown Mode, which reduces the attack surface. However, it’s worth noting that newer devices (iPhone 16 and above) have shifted the indicator lights’ functionality to Secure Indicator Lights exclaves, running in ExclaveOS, making them harder to disable without finding vulnerabilities in SPTM and Exclaves.
Source: https://cyberinsider.com/predator-spyware-uses-stealthy-trick-to-disable-ios-recording-alerts