Mosaic VPN LogoMosaic VPN
DashboardGet Started
Back to blog
securityspywaresurveillanceprivacy

Predator Spyware: The Surveillance Tool That Hides in Plain Sight

Mosaic TeamPublished: April 12, 2026Updated: April 23, 2026
Digital surveillance concept with a glowing eye on a dark screen

Available languages

ARENESIDRUZH

You might think your phone would warn you if someone was listening through your microphone. On iPhones, the orange dot indicator is supposed to tell you when the mic is active. But Predator spyware can suppress that warning entirely.

Developed by Cytrox (part of the Intellexa Consortium), Predator is a commercial surveillance tool sold to governments and agencies worldwide. In 2024, the US Treasury sanctioned Intellexa-related entities for deploying Predator against journalists, policy experts, and government officials.

What Predator Can Do

Once installed on a device, Predator provides near-complete access:

  • Messages and calls — read texts, listen to calls, access messaging apps
  • Location tracking — real-time GPS monitoring
  • Files and photos — access everything stored on the device
  • Microphone and camera — activate silently without triggering indicators
  • Sensor data — accelerometer, Wi-Fi connections, and more

The Indicator Bypass

This is what makes Predator particularly dangerous. Research published by Jamf in February 2026 revealed that Predator uses a mechanism called "HiddenDot" to intercept sensor status updates on iPhones before they reach the screen.

That means:

  • The orange dot (microphone active) doesn't appear
  • The green dot (camera active) doesn't appear
  • The user has no visual indication that surveillance is happening

Your phone's built-in privacy indicators were designed to protect you. Predator was designed to defeat them.

How Predator Infects Devices

Unlike Pegasus, which primarily uses zero-click exploits, Predator typically relies on:

  • Malicious links sent through messaging apps — often disguised as news articles or documents
  • Malicious advertisements on third-party platforms that redirect to exploit pages
  • Zero-day vulnerabilities in browsers and operating systems

Google's Threat Analysis Group identified Intellexa as "one of the most prolific spyware vendors abusing zero-day vulnerabilities." In 2023, Google and Citizen Lab discovered a Predator exploit chain targeting an Egyptian opposition figure through a network injection attack.

Real-World Targets

Predator has been documented targeting:

  • Journalists — Angolan journalist Teixeira Candido was targeted in 2024 through WhatsApp messages carrying infection disguised as news content
  • Opposition politicians — the Egyptian case involved a prominent political figure
  • Policy experts and researchers — people whose work threatens the interests of surveilling governments
  • Government officials — including officials in countries allied with the deploying government

This isn't mass surveillance — it's targeted monitoring of specific individuals. But the technology continues to spread as Intellexa finds new customers despite sanctions.

How to Protect Yourself

For Everyone

  1. Don't click links from unknown senders — especially "breaking news" or urgent-sounding messages
  2. Update your OS and apps immediately — patches close the vulnerabilities Predator exploits
  3. Watch for unusual device behavior — unexpected battery drain, slowdowns, or data usage spikes
  4. Use a VPN on untrusted networks — encrypts traffic and blocks malicious sites that could host exploit payloads

For High-Risk Individuals

  • Enable Lockdown Mode on iPhone — restricts features that spyware commonly exploits
  • Use separate devices for sensitive work and personal use
  • Seek professional forensic analysis if you suspect your device has been compromised
  • Contact digital security organizations — Citizen Lab, Access Now, and EFF provide support for targeted individuals

Predator vs. Pegasus

Both are commercial spyware, but they differ in approach:

FeaturePredatorPegasus
DeveloperCytrox / IntellexaNSO Group
Primary infectionMalicious links, adsZero-click exploits
Indicator bypassSuppresses iOS dotsVaries by version
SanctionsUS Treasury (2024)US Commerce Dept (2021)
ScaleGrowingWidespread

Both represent the same fundamental threat: commercial surveillance tools that undermine the security of consumer devices.

The Bottom Line

Predator proves that your phone's built-in security indicators can't always be trusted. The defense is the same as with any advanced threat — keep your software updated, be cautious with links from unknown sources, and assume that sophisticated attackers can bypass visible warnings.

For most people, Predator isn't a direct threat. But the techniques it uses trickle down to less sophisticated malware over time. The security habits you build today protect you against tomorrow's threats.

Tagged in

securityspywaresurveillanceprivacy