Microphone & camera spy detection.

Everything else spyware does — reading your messages, harvesting your files, tracking your location — is reconnaissance. The microphone and camera are the payload. They turn the phone in your pocket into a roving bug that records your conversations, your meetings, your surroundings, even when no call is in progress and the screen is dark. Helix watches those sensors in real time and alerts you the instant another app activates either one, so a silent recording can't run behind your back. Here's how it works — and the one adversary it can't fully out-see.

1. The sensors are the prize

It's worth being blunt about what mercenary spyware is ultimately for. An operator doesn't spend a fortune compromising a phone for the abstract thrill of access. They want what the phone can hear and see. Documented capabilities of Pegasus-class spyware put live microphone and camera access at the very top of the list: the ability to switch on the mic and quietly record a meeting, a negotiation, a private conversation in a room the target thinks is secure — and to capture the camera, surroundings and the people present, all streamed silently back to the operator.

This is the "roving bug": surveillance equipment you carry everywhere, into every room, that the target paid for, charges nightly and never leaves behind. Old-fashioned bugging required breaking into a room and planting a device. The modern version requires compromising the device the target already brings into every room voluntarily. That's why the sensors are the prize, and why a recording that runs without your knowledge is the outcome the whole expensive infection chain exists to produce. (For the full picture of how that chain reaches this point, see how Pegasus spyware works.)

2. How the live monitor works

Helix watches the device's microphone and camera and detects the moment either one is activated by an app. When something switches on the mic or the camera, Helix knows — and if it's not you knowingly using an app that should have access in that moment, Helix throws an immediate, loud on-screen alert telling you which sensor just came on. The premise is simple and hard for spyware to evade: to record you, the implant has to actually use the sensor. There is no way to capture audio without engaging the microphone or capture video without engaging the camera. The act of spying is the act of turning the sensor on — and that activation is exactly what the monitor is built to catch.

Some platforms now ship a small visual indicator when the mic or camera is in use — a colored dot in the status bar. That's genuinely helpful, and it's also easy to miss: a dot in the corner of a screen you're not looking at, that vanishes the moment you glance over, is not a reliable alarm for a determined surveillance attempt. Helix's monitor is built to be an actual alert — unmissable, on-screen, naming what happened — rather than a subtle hint you have to be staring at the right pixel to notice. It's the difference between a light you might catch and a witness that speaks up.

As with the rest of the Helix shield, the monitor alerts and lets you decide. It doesn't silently kill apps or take destructive action on its own. It tells you a sensor just activated, and you decide whether that was you, a legitimate app, or something that has no business listening.

3. Why your eyes aren't enough

People assume they'd notice if their phone were recording them. They wouldn't. A silent recording produces no sound, no vibration, no visible app, no obvious battery alarm loud enough to register. The phone sits on the table looking exactly as it always does. The screen can be off. The recording app, if there even is a visible one, isn't on screen. Everything about a well-built surveillance payload is engineered to be unnoticeable — invisibility is its single most important feature, because a bug that announces itself is a bug that gets removed.

That's the gap a live sensor monitor fills. You can't watch your own microphone — it produces nothing for you to watch. But software running on the device can notice the sensor being engaged and raise an alarm you'll actually see. It converts "your phone might be listening and you'd never know" into "your phone tried to listen and Helix just told you." Removing the silence is the whole game, exactly as it is with real-time spyware detection more broadly.

4. The real-world threat it stops

Picture the moments that matter. You're in a closed-door negotiation and your phone is face-down on the table; an implant switches on the mic and the other side hears your walk-away number before you say it. You're in a privileged client meeting and the camera quietly captures who's in the room. You're discussing a deal, a case, a position, a plan — in a space you believe is private — and a roving bug streams all of it to someone who paid to hear it. None of these leave a trace you'd catch on your own.

Against each of those, the monitor is the alarm that fires when the sensor comes on. The implant can be as stealthy as its authors can make it in every other respect, but it cannot record you without engaging the very hardware Helix is watching. The instant it reaches for the mic or camera, the silent operation it depends on becomes a timestamped event you can see — and act on, by ending the conversation, removing the phone, or invoking Helix's other defenses like cut-all-comms or travel mode. The point isn't just detection for its own sake; it's giving you back the ability to know when a sensitive room has stopped being private.

5. Why this matters to you specifically

If your conversations are valuable to someone, your phone's mic and camera are the most direct way to take them — no transcript to intercept, no encryption to defeat, just the words themselves and the room they were said in.

• Crypto holders and whales. Discussions of holdings, custody arrangements, travel plans and who knows what are exactly what precedes a targeted physical or social-engineering attack. A hot mic in those conversations is intelligence of the most actionable kind. Knowing the moment a sensor activates is knowing when to stop talking.
• Lawyers. Privileged conversations are privileged only if they're not overheard. A phone that records a client meeting hands the other side strategy, candor and admissions that no document would ever contain. The monitor is a tripwire on the room itself.
• Family offices and executives. Boardroom discussions, deal terms, succession plans and the candid asides around them are worth more than the cost of an exploit to a rival who can hear them. The mic in the room is the most valuable surveillance target you carry, and the monitor watches it.
• Journalists and their sources. A recorded interview with a confidential source exposes a voice, a location, a relationship. A camera that captures who walked into the meeting can burn a source outright. An alert when the sensor activates is protection for the people who trusted you with their safety.
• Anyone targeted. In a contested divorce, an inheritance fight or a hostile dispute, a quietly recorded conversation is leverage. The barrier to deploying surveillance against a private individual keeps falling. Knowing when your own device is listening is knowing when your private moments have an audience.

6. How Helix implements it

The monitor is built into the Helix client and runs continuously on standard iOS and Android, plus desktop platforms, watching for microphone and camera activation. A few implementation points:

• It watches activation, not content. Helix detects that a sensor came on and which one — it does not, and would never, capture what the mic hears or the camera sees. That would be the very surveillance it exists to prevent.
• It alerts immediately and clearly. The moment another app activates the mic or camera unexpectedly, you get a loud, unmistakable on-screen warning — not a subtle indicator you have to be looking for.
• It puts you in control. The monitor never silently kills apps or takes destructive action. It surfaces the event and lets you decide the response — including escalating to cut-all-comms, travel mode or a burn if you conclude you're compromised.
• It's one layer in the shield. Sensor monitoring works alongside live spyware detection, the daily file scan, network/evil-twin detection and device-posture checks — each removing something an attacker needs. Platform rules govern exactly how much visibility an app gets into sensor state, and the monitor reflects what each platform allows.

7. The honest limits — read this part

This feature is powerful precisely because spying requires using the sensor. But there's a class of adversary that can break that assumption, and we won't hide it.

Here's the nuance. The monitor relies on observing sensor activation as the operating system reports it. Most surveillance — including a great deal of real-world spyware behavior — does engage the sensors through paths the OS can see, because that's how the hardware is normally driven. But an implant that has burrowed all the way down into the kernel sits beneath the layer the monitor observes; it can potentially drive the hardware or intercept its data without surfacing an activation event that any userspace app, Helix included, would catch. No tool running in userspace on a stock phone can fully beat an adversary who owns the kernel — that's the same hard truth that runs through all on-device detection, and we state it plainly rather than pretend the monitor is magic.

So what's it worth? A great deal, because the kernel-resident, perfectly-stealthy implant is the expensive exception, not the rule. Plenty of surveillance is carried out by tooling that uses the sensors through ordinary channels — and against all of that, an immediate, unmissable alert is exactly the defense you want. It also raises the bar: an adversary now has to spend a top-tier kernel-level capability and operate it flawlessly just to listen without tripping the monitor, rather than reaching for the mic through the normal API like everything else does. That's a far higher cost, imposed on the most expensive attackers, on every device you carry. Detection doesn't promise you'll catch the rarest ghost. It promises that the common, affordable surveillance that fells most targets doesn't get to run in silence on your phone.

The OS indicator dots are a start, not a solution

It's reasonable to ask whether the little green and orange dots that modern phones show when the camera or mic is active already solve this. They help — they were a genuine step forward, and they exist because the platforms themselves recognized the roving-bug threat. But lean on them too hard and the gaps show. The dot only helps if you happen to be looking at the screen at the exact instant a sensor activates, and a surveillance payload can choose to record in brief, opportunistic bursts that are easy to miss. The dot tells you a sensor is on; it doesn't tell you which app turned it on, and it certainly doesn't keep a record you can review later. Helix's monitor is built to be an alert in the real sense: it speaks up when an activation is unexpected, names what happened, and is designed to be noticed rather than glimpsed. The platform dot and the Helix monitor point the same direction — but one is a passive hint and the other is an active witness. For someone who is actually a target, the difference between "might have caught it" and "got told about it" is the whole point.

What to do the moment the monitor fires

An alert is only as useful as your response to it, so it's worth thinking through the moment in advance. If Helix tells you the mic or camera just activated and it wasn't you, the first move is situational: if you're in a sensitive conversation, the device has stopped being trustworthy in that room — get it out, or stop talking. From there you have the rest of the Helix shield to escalate with. Cut-all-comms silences the device's radios so nothing it captured can leave through the app. Travel/border mode goes dark and arms defenses in one toggle. If you conclude the device is genuinely compromised, a one-tap burn and a clean reinstall — ideally onto a hardened baseline — limits the blast radius. The monitor's job is to hand you the fact while you still have options; the rest of the posture is what turns that fact into action. Surveillance wins by leaving you unaware until it's too late. A timely alert plus a planned response is how you take that timing advantage back.

8. The bottom line

The microphone and camera are not a side feature of spyware — they're the entire point, the payload the whole expensive infection chain exists to deliver. Helix watches those sensors in real time and tells you, loudly and immediately, the instant an app activates either one, turning the silent roving bug into something you can finally notice. A kernel-level implant that owns the OS can capture beneath the layer the monitor sees — we say so honestly — but the common, affordable surveillance that catches most people has to use the sensors through channels Helix watches. If your conversations are worth recording to someone, knowing the moment your phone starts listening is not a luxury. It's the alarm that gives you the chance to act.

Three tiers, fixed and published: Core $199 · Operator $499 · Sovereign $999. Buy it or don't — no negotiation, no surprises.