Executive Summary
In February 2026, security researchers uncovered that Intellexa's Predator spyware can suppress iOS's camera and microphone recording indicators, allowing covert surveillance without user awareness. By injecting code into SpringBoard, the spyware intercepts sensor activity updates, preventing the green and orange dots from appearing when the camera or microphone is active. This technique requires prior full device compromise, including kernel-level access, and does not exploit new iOS vulnerabilities. (bleepingcomputer.com)
This discovery highlights the evolving sophistication of commercial spyware and underscores the importance of maintaining up-to-date device security measures. Users should be aware that visual indicators alone may not reliably signal unauthorized access to device sensors, emphasizing the need for comprehensive security practices.
Why This Matters Now
The ability of Predator spyware to bypass iOS recording indicators underscores the urgent need for enhanced security measures and user vigilance, as traditional visual cues may no longer suffice to detect unauthorized surveillance.
Attack Path Analysis
The Predator spyware campaign began with the exploitation of zero-day vulnerabilities in Apple and Chrome, leading to kernel-level access on targeted iOS devices. With this access, the spyware escalated privileges to manipulate system processes, specifically injecting code into SpringBoard to suppress camera and microphone activity indicators. This manipulation allowed the spyware to move laterally within the device's processes, maintaining stealth and control. The spyware established command and control by covertly streaming audio and video data to external servers without user awareness. Sensitive data was exfiltrated through these covert channels, bypassing standard security measures. The impact was a significant breach of user privacy, with potential exposure of confidential information.
Kill Chain Progression
Initial Compromise
Description
Exploitation of zero-day vulnerabilities in Apple and Chrome to gain initial access to iOS devices.
Related CVEs
CVE-2023-41993
CVSS 8.8A remote code execution vulnerability in WebKit allows attackers to execute arbitrary code on affected devices.
Affected Products:
Apple iOS – < 16.6.1
Exploit Status:
exploited in the wildCVE-2023-41992
CVSS 7.8A kernel vulnerability in iOS allows attackers to achieve privilege escalation on affected devices.
Affected Products:
Apple iOS – < 16.6.1
Exploit Status:
exploited in the wildCVE-2023-41991
CVSS 5.5A code signing bypass vulnerability in iOS allows attackers to execute arbitrary code on affected devices.
Affected Products:
Apple iOS – < 16.6.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Audio Capture
Video Capture
Disguise Root/Jailbreak Indicators
Capture Camera
Capture Audio
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: Pillar 3
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Predator spyware's iOS SpringBoard manipulation enables covert surveillance bypassing camera/microphone indicators, critically threatening government officials and classified communications through commercial spyware attacks.
Law Enforcement
Commercial spyware targeting iOS devices compromises law enforcement personnel communications and operations, with zero-click infection vectors enabling adversaries to monitor investigations without detection indicators.
Financial Services
Intellexa's Predator spyware poses severe risks to financial executives and sensitive transactions through hidden iOS surveillance capabilities, violating privacy controls and regulatory compliance requirements.
Health Care / Life Sciences
Healthcare organizations face HIPAA compliance violations as Predator spyware secretly records patient consultations and medical discussions through compromised iOS devices without visible privacy indicators.
Sources
- Predator spyware hooks iOS SpringBoard to hide mic, camera activityhttps://www.bleepingcomputer.com/news/security/predator-spyware-hooks-ios-springboard-to-hide-mic-camera-activity/Verified
- How Predator Spyware Defeats iOS Recording Indicatorshttps://www.jamf.com/blog/predator-spyware-ios-recording-indicator-bypass-analysis/Verified
- To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spywarehttps://securitylab.amnesty.org/latest/2025/12/intellexa-leaks-predator-spyware-operations-exposed/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the spyware's ability to exploit vulnerabilities, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit zero-day vulnerabilities may be constrained by reducing the attack surface through strict segmentation and identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could be limited by enforcing strict segmentation policies that restrict access to critical system components.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the device's processes could be constrained by monitoring and controlling east-west traffic, thereby reducing stealth capabilities.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish covert command and control channels may be limited by providing comprehensive visibility and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could be constrained by enforcing strict egress policies that monitor and control outbound data flows.
The overall impact of the breach could be reduced by limiting the attacker's ability to access and exfiltrate sensitive data through comprehensive security controls.
Impact at a Glance
Affected Business Functions
- Personal Privacy
- Data Security
- Device Integrity
Estimated downtime: N/A
Estimated loss: N/A
Potential unauthorized access to personal data, including audio and video recordings, without user consent.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized access and lateral movement within devices.
- • Deploy Threat Detection & Anomaly Response systems to identify and respond to unusual activities indicative of spyware.
- • Utilize Multicloud Visibility & Control to monitor and manage data flows across cloud environments, ensuring no unauthorized data exfiltration.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data leakage to unauthorized destinations.
- • Regularly update and patch systems to mitigate vulnerabilities exploited by spyware like Predator.
