TL;DR: Research published on January 16, 2026 by Jamf Threat Labs researchers Shen Yuan and Nir Avraham reveals that Intellexa's Predator spyware can suppress the green and orange dots iOS displays when your camera or microphone is active. The spyware hooks into SpringBoard (the iOS process that manages your home screen) and intercepts the recording indicator system. Your phone is being recorded. You see nothing. Predator also includes a crash reporter, an error code system that phones home to Intellexa's servers, and detects whether you have Developer Mode enabled (aborting if you do). The research also confirms Intellexa maintains centralized command-and-control infrastructure, contradicting their claims of being a passive vendor.
Apple's Recording Dots, Explained
Since iOS 14, Apple has shown a small colored dot in the top-right corner of your screen whenever an app accesses your camera or microphone. Green dot means camera. Orange dot means microphone. It's a simple, visible signal: something is recording you.
For most iPhone users, those dots are the entire privacy model. No dot, no recording. That's the assumption.
Predator breaks that assumption.
How Predator Kills the Dots
Jamf's researchers found that Predator operates as a dual-mode binary with two execution modes: a "watcher" for orchestration and persistence, and a "helper" that runs the actual surveillance. The helper process listens on a Unix socket at /tmp/helper.sock and accepts commands controlling four distinct surveillance modules.
Here's the module list, pulled directly from the research:
- ID 10, "HiddenDot": Suppresses the iOS privacy indicator (the camera/mic dot)
- ID 11, "Voip": VoIP call interception
- ID 12, "KeyLogger": Keystroke capture
- ID 13, "CameraEnabler": Camera surveillance
They named the indicator suppression module "HiddenDot." Not subtle.
The technical mechanism: Predator locates the SpringBoard process, the core iOS system process that manages your home screen, app switching, and notification overlays. It uses kernel exploitation primitives to inject into SpringBoard, then hooks SBRecordingIndicatorManager methods. That's the class responsible for showing the green and orange dots. Once hooked, those methods do nothing. The dots never appear.
Predator also hooks into Apple's private CMCapture.framework using a Mach exception-based hooking mechanism called "DMHooker." This gives it direct access to the camera hardware pipeline, bypassing the normal iOS APIs that would trigger recording indicators.
Intellexa's Quality Assurance for Spying
Jamf's analysis uncovered something else: Predator has a built-in error reporting system. When an infection fails, it doesn't just crash silently. It sends standardized error codes back to Intellexa's command-and-control servers, telling operators exactly what went wrong.
Researchers Shen Yuan and Nir Avraham noted this system gives operators "granular visibility into why deployments fail," letting Intellexa refine future attacks based on specific failure conditions. Failed infections become training data for better infections.
The error taxonomy is sophisticated enough to detect:
- Whether Developer Mode is activated on the target phone (Predator aborts if it is, a sign the phone might be under analysis)
- Sandbox environments used by security researchers
- Crash conditions in specific iOS components
This isn't a tool sold to clients and forgotten. This is actively managed infrastructure.
Intellexa Runs the Show
Intellexa has always claimed it sells tools to government clients and then steps back: the classic "we're just the vendor" defense. Jamf's research says otherwise.
The sophisticated error reporting, centralized command-and-control architecture, and crash monitoring system suggest what Jamf researchers described as "a centralized infrastructure or at minimum a tightly controlled deployment framework" operated by Intellexa directly. The vendor isn't just selling the gun. They're aiming it.
This matches what leaked documents revealed in December 2025: Intellexa staff used TeamViewer to remotely access government customers' surveillance systems, viewing stolen photos, messages, and data from hacked phones firsthand.
Who Predator Targets
Predator isn't mass surveillance. It's precision surveillance, sold to governments for use against specific individuals. The known target list includes journalists, opposition politicians, activists, lawyers, and academics in countries including Greece, Egypt, Vietnam, Madagascar, Sudan, and Indonesia.
The European Parliament investigated Predator in 2023 after it was used against Greek journalists and an opposition politician. The Hellenic Inspector General for Public Administration confirmed the spyware was deployed against journalist Thanasis Koukakis. Amnesty International's Security Lab has documented Predator infections across multiple continents.
Despite US sanctions imposed on Intellexa in March 2024, the company continues operating. Leaked documents show active sales in Saudi Arabia, Kazakhstan, Angola, and Mongolia.
What You Can Actually Do
Enable Lockdown Mode
Apple's Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) disables many of the attack surfaces Predator exploits. It blocks most message attachment types, disables link previews, and restricts web browsing features. It's disruptive but effective.
Keep iOS Updated
Predator relies on exploiting specific iOS vulnerabilities. Apple patches these regularly. Don't delay updates. iOS 26 specifically addressed indicators of compromise left by both Predator and Pegasus.
Enable Developer Mode (If You Can)
Predator detects Developer Mode and aborts installation. Enabling it isn't practical for most users, but if you're a high-risk target (journalist, activist, lawyer) it adds a layer of deterrence.
Use iVerify or Similar Tools
Mobile threat detection tools like iVerify scan for known spyware indicators. They're not foolproof (Predator actively evades analysis) but they catch some infections that other methods miss.
The uncomfortable truth: if a government with Predator access decides to target your phone specifically, these defenses raise the cost but may not stop them. The best protection is systemic: banning the sale of mercenary spyware entirely.
The Recording Indicator Was Supposed to Be Enough
Apple introduced recording indicators as a visible, impossible-to-fake signal that something was accessing your camera or microphone. The company specifically designed the feature to work at the system level, below where apps operate, so that no app could suppress it.
Predator doesn't operate at the app level. It operates at the kernel level. It hooks into the same system process that displays the indicators and turns them off at the source. Apple's protection assumed adversaries playing by the rules of the App Store. Mercenary spyware doesn't play by those rules.
This matters beyond Predator. If one spyware vendor figured out how to suppress recording indicators, others will too. The green dot on your iPhone is a promise from Apple. Predator shows that promise has limits.
References
- Jamf Threat Labs - How iOS Malware Can Spy on Users Silently (February 2026)
- Jamf Threat Labs - Predator iOS Spyware: Undocumented Anti-Analysis Techniques (January 16, 2026)
- Reverse Society - Predator iOS Malware: Building a Surveillance Framework (2025)
- SecurityWeek - Predator Spyware's Granular Anti-Analysis Features Exposed (February 2026)
- Dark Reading - Predator Spyware Sample Indicates 'Vendor-Controlled' C2 (February 2026)
- iVerify - Key IOCs for Pegasus and Predator Spyware Cleaned With iOS 26 Update