Predator Spyware: The Surveillance Tool That Hides in Plain Sight

Available languages
You might think your phone would warn you if someone was listening through your microphone. On iPhones, the orange dot indicator is supposed to tell you when the mic is active. But Predator spyware can suppress that warning entirely.
Developed by Cytrox (part of the Intellexa Consortium), Predator is a commercial surveillance tool sold to governments and agencies worldwide. In 2024, the US Treasury sanctioned Intellexa-related entities for deploying Predator against journalists, policy experts, and government officials.
What Predator Can Do
Once installed on a device, Predator provides near-complete access:
- Messages and calls — read texts, listen to calls, access messaging apps
- Location tracking — real-time GPS monitoring
- Files and photos — access everything stored on the device
- Microphone and camera — activate silently without triggering indicators
- Sensor data — accelerometer, Wi-Fi connections, and more
The Indicator Bypass
This is what makes Predator particularly dangerous. Research published by Jamf in February 2026 revealed that Predator uses a mechanism called "HiddenDot" to intercept sensor status updates on iPhones before they reach the screen.
That means:
- The orange dot (microphone active) doesn't appear
- The green dot (camera active) doesn't appear
- The user has no visual indication that surveillance is happening
Your phone's built-in privacy indicators were designed to protect you. Predator was designed to defeat them.
How Predator Infects Devices
Unlike Pegasus, which primarily uses zero-click exploits, Predator typically relies on:
- Malicious links sent through messaging apps — often disguised as news articles or documents
- Malicious advertisements on third-party platforms that redirect to exploit pages
- Zero-day vulnerabilities in browsers and operating systems
Google's Threat Analysis Group identified Intellexa as "one of the most prolific spyware vendors abusing zero-day vulnerabilities." In 2023, Google and Citizen Lab discovered a Predator exploit chain targeting an Egyptian opposition figure through a network injection attack.
Real-World Targets
Predator has been documented targeting:
- Journalists — Angolan journalist Teixeira Candido was targeted in 2024 through WhatsApp messages carrying infection disguised as news content
- Opposition politicians — the Egyptian case involved a prominent political figure
- Policy experts and researchers — people whose work threatens the interests of surveilling governments
- Government officials — including officials in countries allied with the deploying government
This isn't mass surveillance — it's targeted monitoring of specific individuals. But the technology continues to spread as Intellexa finds new customers despite sanctions.
How to Protect Yourself
For Everyone
- Don't click links from unknown senders — especially "breaking news" or urgent-sounding messages
- Update your OS and apps immediately — patches close the vulnerabilities Predator exploits
- Watch for unusual device behavior — unexpected battery drain, slowdowns, or data usage spikes
- Use a VPN on untrusted networks — encrypts traffic and blocks malicious sites that could host exploit payloads
For High-Risk Individuals
- Enable Lockdown Mode on iPhone — restricts features that spyware commonly exploits
- Use separate devices for sensitive work and personal use
- Seek professional forensic analysis if you suspect your device has been compromised
- Contact digital security organizations — Citizen Lab, Access Now, and EFF provide support for targeted individuals
Predator vs. Pegasus
Both are commercial spyware, but they differ in approach:
| Feature | Predator | Pegasus |
|---|---|---|
| Developer | Cytrox / Intellexa | NSO Group |
| Primary infection | Malicious links, ads | Zero-click exploits |
| Indicator bypass | Suppresses iOS dots | Varies by version |
| Sanctions | US Treasury (2024) | US Commerce Dept (2021) |
| Scale | Growing | Widespread |
Both represent the same fundamental threat: commercial surveillance tools that undermine the security of consumer devices.
The Bottom Line
Predator proves that your phone's built-in security indicators can't always be trusted. The defense is the same as with any advanced threat — keep your software updated, be cautious with links from unknown sources, and assume that sophisticated attackers can bypass visible warnings.
For most people, Predator isn't a direct threat. But the techniques it uses trickle down to less sophisticated malware over time. The security habits you build today protect you against tomorrow's threats.
Tagged in
