Full Report
The new research from Jamf Threat Labs demonstrates how Predator spyware can stay hidden on targeted phones by “intercepting sensor activity” to hide the indicators.
Analysis Summary
# Tool/Technique: Predator Spyware (Indicator Suppression)
## Overview
Predator is advanced spyware capable of infecting targeted phones (specifically via "zero-click" methods) and maintaining stealth by actively blocking or suppressing the visual indicators iOS displays when the camera (green dot) or microphone (orange dot) is in use. This allows operators to conduct surveillance without the user's knowledge.
## Technical Details
- Type: Malware family | Technique
- Platform: iOS
- Capabilities: Zero-click infection, interception of sensor activity, suppression of privacy indicators (camera/microphone dots).
- First Seen: Information regarding initial deployment is not specified, but research detailing this specific capability was published around February 2026.
## MITRE ATT&CK Mapping
Since the core discovery relates to masking the results of recording activity, the mapping focuses on techniques related to execution, defense evasion, and credential/access capture.
- **TA0005 - Defense Evasion**
- **T1070.009 - Indicator Removal: OS Specific** (Closest fit for hiding system-level indicators)
- **TA0011 - Command and Control** (Implied, as it needs C2 to function, though not detailed)
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application** (If zero-click relies on unpatched vulnerabilities, which is typical of high-end spyware)
## Functionality
### Core Capabilities
* **Indicator Suppression:** Intercepting sensor activity specifically to prevent the iOS status bar from displaying the green camera indicator or orange microphone indicator when the respective hardware is being accessed.
* **Stealth Maintenance:** Remaining hidden by ensuring the device appears to function normally, but without notifying the user of active surveillance.
### Advanced Features
* **Zero-Click Infection:** Ability to infect devices without requiring any user interaction (e.g., clicking links or installing apps).
* **Sensor Hijacking:** Full capability to spy on users via microphones and cameras.
* **Subtle Operation:** Selectively suppresses only the indicators, unlike simulating a full device shutdown, making detection harder.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: [Not provided in the article]
- Registry Keys: [Not applicable to this specific iOS technique]
- Network Indicators: [Not provided in the article/defanged]
- Behavioral Indicators: Simultaneous suppression of both microphone and camera recording indicators without a corresponding device shutdown or recognized trigger.
## Associated Threat Actors
* Operators linked to **Intellexa** (parent company of Predator spyware).
* Observed activity in countries including Pakistan, Mongolia, Angola, Saudi Arabia, and Kazakhstan.
* The spyware has historically been linked to the surveillance of politicians and activists.
## Detection Methods
- Signature-based detection: [Not detailed in the article]
- Behavioral detection: Monitoring for unusual system calls or process behavior that results in system-level indicators being suppressed while sensor activity is confirmed to be occurring.
- YARA rules: [Not provided in the article]
## Mitigation Strategies
- Prevention measures: Updating to the latest patched version of iOS, as zero-click exploits often target newly discovered vulnerabilities.
- Hardening recommendations: Limiting the application permissions granted to applications; however, sophisticated spyware bypasses these standard controls. The primary defense relies on Apple patching the underlying interception method.
## Related Tools/Techniques
* Other high-end commercial or state-sponsored spyware known for deep system integration and obfuscation (e.g., Pegasus, Chimaera).
* Techniques relying on **Zero-Click exploitation** for initial access.