Apple’s camera and microphone indicators are supposed to tell iPhone users when the microphone or camera is on, but after the device is completely compromised with kernel-level access by another hack, the Predator spyware can prevent them from showing up.
Camera and microphone indicators, which first appeared in iOS 14, are a big part of Apple’s privacy report. Users depend on them to know when a recording is in progress.
Security researchers at Jamf discovered that Predator spyware can prevent these iOS upload indicators from appearing. However, this is not a stand-alone attack – this is post-compromise behavior and the analysis does not describe a new iOS vulnerability or a bug that needs to be patched.
Predator does this by injecting code into SpringBoard that manages the status bar and home screen. By capturing sensor activity updates before they reach the user interface, Predator allows the camera or microphone to operate without triggering the familiar green or orange dot.
Otherwise, the iPhone continues to function normally, giving users no apparent reason for suspicious tracking. Apps still launch, notifications arrive, and the interface behaves as expected, but the visual indicator never appears.
A report from Jamf Threat Labs points out that this trust depends on internal system behavior that can be manipulated by extremely advanced attackers after a deep compromise. The discovery raises concerns about how much trust users should place in user interface-level privacy signals when the device is already under operator control.
How iOS normally displays recording indicators
On iPhone, individual apps cannot control the recording indicators. When the camera or microphone is in use, iOS sends a notification to SpringBoard, which updates the status bar.
The separation is to prevent apps from sneaking around and hiding sensor access. Normally, you will see a pop-up indicator when recording starts.
Research shows that Predator uses a single SpringBoard method that is used to handle changes in sensor activity. When this method is executed, the spyware will intentionally cancel the call, causing the message to be silently discarded.
iPhone will notify you that a recording is in progress via the camera or microphone
In Objective-C, messages sent to a “null” object are silently ignored. Because iOS aggregates camera and microphone activity through the same internal pipeline, a single hook overrides both indicators at once.
SpringBoard will never know that recording has started, so no dot will appear.
Why this attitude is hard to notice
Earlier spyware techniques often relied on hiding the interface or simulating a switched off phone. These methods could raise suspicions when the device behaved inconsistently.
Predator leaves the phone fully functional, so apps launch normally, notifications arrive, and the interface behaves as expected. You may not even notice the absence of an indicator because it is so subtle and easy to miss.
The report does not suggest that App Store apps can bypass Apple’s privacy indicators. Predator operates at the system level and requires a deep compromise of iOS, including kernel-level access and injecting code into protected processes.
Jamf’s analysis also suggests that spyware stealth is modular rather than automatic. The VoIP recording component lacks built-in indicator suppression, which means operators must first activate the indicator suppression module before relying on it for covert capture.
Such an approach places the threat in the category of commercial spyware instead of everyday malware. Tools designed for targeted tracking operate under very different assumptions than typical App Store threats, but for most users, Apple’s upload indicators still get the job done.
How to protect yourself
Predator needs a full device compromised with kernel-level access, usually through zero-day exploits or highly targeted attack chains. For most iPhone users, the problem is not everyday malware, but rather sophisticated tracking campaigns targeting specific individuals.
Keeping iOS up-to-date is the first layer of protection. Apple often patches vulnerabilities used by spyware operators, so installing updates quickly reduces the attack surface.
Connecting Voip::setupHooks() AudioConverterNew and AudioConverterConvertComplexBuffer+52 — no indicator override code present. Image credit: Jamf
Additionally, regularly restarting your iPhone can break certain exploit frameworks that rely on persistence in memory. Although a reboot is not a guaranteed fix, it can temporarily break some spyware.
Be on the lookout for strange things happening to your device, such as crashes you can’t explain, changes to your configuration profiles, unknown VPNs, or new enrollments in Device Manager. Advanced spyware can be sneaky and hide its signs, but it often leaves subtle traces behind.
If you think you might be at higher risk, it’s a smart move to enable Lockdown Mode. This mode tightens security by restricting things like message attachments, web technologies, and wired connections, making it much more difficult for attackers to exploit your device.
The most important thing is to understand the threat model. Predator does not bypass iOS privacy protections under normal circumstances. It operates on a deep compromise, meaning that the most effective defense is to prevent exploitation in the first place.