Challenge
Once installed, Predator commercial spyware can intercept system-level messages to suppress iOS orange and green privacy indicators, silently activating the microphone or camera without any visible sign — undetectable by users and traditional security tools.
Solution
Using Jamf Executive Threat Protection's deep mobile forensics, monitor for anomalous memory mappings in system processes, exception port registrations, thread state irregularities, and sensor activity occurring without indicators — detecting spyware stealth behavior at the system level.
Results
Research confirmed Predator uses a single hook to simultaneously suppress both orange (mic) and green (camera) indicators, with a remaining blind spot in VoIP scenarios. Jamf Executive Threat Protection detects such anomalies via deep system telemetry — one of the few effective defenses available on iPhone.
The Orange Dot That Disappeared
Since iOS 14, Apple has included a simple but powerful privacy protection: a small orange dot appears in the top-right corner whenever an app activates your microphone, and a green dot appears when the camera is in use. Simple, intuitive, impossible to miss.
These dots are not controlled by apps — they're enforced by the operating system itself. No app should be able to hide them.
Except, apparently, Predator can.
What Is Predator?
Predator is a commercial spyware product developed by the European company Intellexa (formerly Cytrox). It is sold to governments and intelligence agencies as a "lawful intercept" tool — but research by Citizen Lab, Amnesty Tech, and Jamf Threat Labs has documented its use against journalists, opposition politicians, and civil society figures.
Previous investigations found Predator deployed against:
- A Greek member of European Parliament
- Egyptian opposition figures
- Journalists in multiple countries
- Diplomats in various regions
Predator is in the same category as NSO Group's Pegasus — it is sophisticated, expensive, and typically deployed by state-level actors against high-value targets.
The New Discovery: Hiding the Dots
Jamf Threat Labs researchers published a technical analysis revealing something alarming: Predator includes a mechanism specifically designed to suppress the orange and green recording indicators on iPhones.
What Does This Mean in Practice?
Imagine this scenario:
You're in a private meeting. Your iPhone is sitting on the table, screen facing down. Unknown to you, Predator has already been installed on your device. The attacker activates your microphone remotely.
Normally, that orange dot would appear. You'd notice it immediately.
With Predator's indicator suppression active — the dot never appears. The microphone is live. Every word spoken in that room is being transmitted. And there is no warning whatsoever.
How It Works (Without the Technical Jargon)
Apple's privacy indicators are controlled by a system process called SpringBoard — the same process that manages your home screen. When any app activates the microphone or camera, a message is sent to SpringBoard: "show the indicator."
Predator intercepts this message at its source and discards it. It's like unplugging the fire alarm before starting a fire — the threat is real, but the warning system is silenced.
Remarkably, the researchers found that Predator uses a single interception point to simultaneously suppress both the orange dot (microphone) and the green dot (camera). This level of precision suggests the spyware developers had deep knowledge of iOS internals.
Why Is This So Dangerous?
The Dots Were Your Last Line of Defense
On a compromised iPhone, many traditional defenses have already failed:
- You can't install antivirus or EDR software on an iPhone
- iOS's sandboxing prevents deep security scanning
- There are no visible "installed programs" that look suspicious
The orange and green dots were one of the few remaining signals a user could rely on. Predator specifically neutralizes this signal.
This Is a Post-Exploitation Capability
To be clear: Predator cannot be installed remotely without first exploiting a vulnerability to gain access to your device. The indicator suppression described here is what happens after the device is already compromised.
But this matters enormously because it means:
- You won't know you're compromised — even if you're watching for the dots
- The attacker can surveil you indefinitely — without triggering the only visual cue you had
- Even security-conscious users are at risk — awareness of the dots is not enough protection
VoIP Calls: A Partial Limitation
Interestingly, the researchers found one gap in Predator's suppression capability: calls made through VoIP protocols (like some internet calling features) don't go through the same indicator pathway. In those scenarios, the dots may still appear.
This is a minor limitation. For most surveillance scenarios — recording ambient audio in a room, listening to regular phone calls, activating the camera — the suppression works.
Who Is at Risk?
This type of attack is expensive to deploy and requires significant technical resources. Predator is not being used to attack ordinary consumers at scale. The targets are high-value individuals:
Corporate leadership
- Executives with access to undisclosed M&A plans, trade secrets, or strategic decisions
- Board members whose discussions could move markets
- Legal and finance teams involved in sensitive negotiations
Government and public sector
- Politicians and senior officials
- Diplomats and intelligence personnel
- Law enforcement leadership
Sensitive industry professionals
- Semiconductor, defense, biotech researchers
- Investigative journalists and editors
- Human rights lawyers and activists
Why these people?
A fully weaponized spyware implant for iPhone can cost millions of dollars. The return on that investment comes from:
- Confidential business intelligence that can drive competitive advantage
- Government policy information before it becomes public
- Source identities, investigation details, case strategies
- Strategic negotiations in real time
The Broader Problem: iPhone's Security Blind Spot
This research highlights a structural challenge that enterprises and governments face with iPhones.
Your organization may have:
- ✓ EDR deployed on every laptop and desktop
- ✓ SIEM systems monitoring network activity
- ✓ Regular vulnerability assessments
- ✓ Multi-factor authentication on all accounts
But the CEO's iPhone:
- ✗ Cannot run EDR or antivirus software
- ✗ Cannot be deeply scanned by standard security tools
- ✗ Cannot have its processes monitored in real time
- ✗ Is now confirmed to have its privacy indicators suppressible
That phone contains confidential emails, executive chat groups, sensitive negotiations with clients and suppliers, two-factor authentication codes for every corporate system, and possibly M&A discussions that haven't been announced to the public.
It is arguably the highest-value target in your entire security architecture — and the hardest to defend.
Protective Measures
For High-Risk Individuals: Enable Lockdown Mode
Apple's Lockdown Mode significantly raises the bar for attackers by disabling features commonly exploited in sophisticated attacks.
- Settings → Privacy & Security → Lockdown Mode
- The tradeoff: some web features and message attachment types are restricted
- For executives, government officials, and journalists: the security gain is worth it
For Enterprises: Assume the Dots Cannot Be Trusted
The indicator suppression revealed in this research means organizations should not rely on users noticing the orange or green dots as a detection method.
Instead, detection needs to happen at a deeper level — through system telemetry, memory analysis, and behavioral signals that users cannot see.
General Security Hygiene
- Apply iOS updates immediately when released
- Do not click unknown links, even from trusted contacts
- Avoid public Wi-Fi for sensitive work
- Do not use charging accessories from unknown sources
- Be suspicious of unexpected phone behavior (battery drain, unexpected heat, data spikes)
How KlickKlack Can Help
Through the Jamf Executive Threat Protection solution, KlickKlack provides deep Apple mobile device forensics capabilities. Rather than relying on visible indicators, JETP analyzes system-level telemetry — including memory mappings, exception port registrations, and process behavior — to detect anomalies consistent with spyware like Predator.
This approach can identify compromise even when:
- All visible indicators have been suppressed
- The device appears and behaves normally
- The attacker has attempted to clean up traces
Contact us to learn more about protecting your executives and high-value personnel.
About KlickKlack
KlickKlack is the only partner in Taiwan with both Jamf MSP and Elite Partner certifications, providing comprehensive enterprise management and security solutions for Apple devices.