Predator Spyware Exploits iOS SpringBoard Vulnerability to Conceal Microphone and Camera Activity
Newly Discovered Mechanism Allows Predator Spyware to Evade Detection on iOS Devices
A newly discovered mechanism used by the Predator spyware, developed by US-sanctioned surveillance firm Intellexa, allows it to evade detection on iOS devices by concealing camera and microphone activity indicators. This capability enables the malware to secretly stream camera and microphone feeds to its operators without alerting the user.
Predator’s Evasion Mechanism
Predator achieves this by leveraging previously obtained kernel-level access to hijack system indicators. Specifically, it uses a single hook function, HiddenDot::setupHook(), inside the SpringBoard process to intercept sensor activity changes, such as camera or microphone activation. By doing so, the malware prevents the display of recording indicators on the status bar, which would normally alert the user to ongoing surveillance.
Additionally, the researchers found that Predator uses a separate module to enable camera access, which locates internal camera functions using ARM64 instruction pattern matching and Pointer Authentication Code (PAC) redirection. This allows the malware to bypass camera permission checks and access the camera without triggering indicators.
Detection and Mitigation
While Predator’s ability to suppress camera and microphone activity indicators is alarming, Jamf notes that technical analysis can still reveal signs of the malicious processes. These include unexpected memory mappings or exception ports in SpringBoard and mediaserverd, as well as breakpoint-based hooks and audio files written by mediaserverd to unusual paths.
The discovery of Predator’s evasion mechanism highlights the ongoing cat-and-mouse game between surveillance firms and security researchers. As new techniques are developed to evade detection, it is essential for security professionals to stay vigilant and adapt their defenses to counter emerging threats.
About Author
English