The big picture: Apple informed specific iPhone users, including journalists, activists, and government dissidents, in 2021 that they were being targeted by spyware. This malicious software is particularly dangerous because it can be installed via a zero-click attack and can read and hear almost everything on the device. Apple provides limited details on how it detects possible attacks, to avoid aiding attackers in evading detection. Additionally, Apple has introduced a Lockdown mode to mitigate spyware risks.
Apple has alerted iPhone users across 98 countries about potential mercenary spyware attacks. This follows a similar warning issued in April to users in 92 countries, signaling an increasing or persistent issue with spyware.
The warning did not disclose the attackers’ identities or specify the countries of the affected users. However, it indicated that the targeted individuals were likely chosen due to “who you are or what you do.” Apple emphasized the gravity of the situation by stating its “high confidence in this warning – please take it seriously.”
Last year, Apple revised the language in its notifications, referring to these incidents as “mercenary spyware attacks” instead of the previously used term “state-sponsored” attacks.
“Such attacks are vastly more complex than regular cybercriminal activity and consumer malware, as mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices,” Apple explained in an advisory in April. “Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent. The vast majority of users will never be targeted by such attacks.”
The spyware provides attackers with access to the smartphone’s microphone and allows them to read everything written on the device, including messages on encrypted apps like WhatsApp and Signal. They can also track the user’s location, collect passwords, and extract information from various apps.
The sophistication of these attacks is increasing. Previously, a victim needed to click on a link or download an image to activate the spyware. Now, zero-click attacks can deploy spyware via an iMessage or WhatsApp image without any user interaction.
Certain groups, such as journalists, activists, and government personnel, are usually the primary targets. One notorious example is Pegasus, highly advanced spyware developed by the Israeli cyber-arms company NSO Group, which has been extensively used by governments to monitor high-profile targets. It can compromise both Android and iOS devices.
Another example is LightSpy, a Chinese spyware campaign initially aimed at Hong Kong protesters in 2020, which has since evolved to include detailed location tracking and sound recording.
Detecting spyware on an iPhone can be challenging, but some potential indicators include rapid battery drain, unusual device behavior, high data usage, and unexpected device heating. Additionally, Apple has introduced a security feature called Lockdown mode, which significantly limits certain functionalities to protect high-risk individuals from such attacks.