Apple warns iPhone users about mercenary spyware attacks


Apple sent a threat notification to iPhone users in 92 countries on April 10 informing them that their device was “being the target of a mercenary spyware attack.” The alert, sent at 12:00 p.m. Pacific Time, told recipients that the attackers were trying to “remotely compromise” their phone and that they were likely being targeted specifically “because of who you are or what you do.” Apple's notification did not identify the alleged attackers or specify the location of its recipients.

iPhone users who have received the mercenary spyware attack alert should seek help from cybersecurity experts, Apple said on its dedicated support page.

What did Apple's latest threat notification say?

The emailed message has been seen by TechCrunch and Reuters. He reportedly says:

“Apple has detected that you are being targeted by a mercenary spyware attack that is attempting to remotely compromise the iPhone associated with your Apple ID -xxx-,

“This attack is likely targeted at you specifically because of who you are or what you do. Although it is never possible to achieve absolute certainty when detecting these types of attacks, Apple has great confidence in this warning: take it seriously.

“We cannot provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future.

“Mercenary spyware attacks, such as those used by NSO Group's Pegasus, are exceptionally rare and much more sophisticated than normal cybercriminal activity or consumer malware.”

According to Apple, the notification also included steps users can take to protect their device, including enabling lockdown mode, where certain apps, websites, and features are restricted to reduce the attack surface for spyware.

What is a mercenary spyware attack?

A mercenary spyware attack occurs when a third-party entity deploys spyware (malicious software used for surveillance purposes) on a target device. This entity does so on behalf of a paying client and aims to collect required confidential information or conduct surveillance without the direct involvement of its sponsor.

Spyware typically infiltrates a device through vulnerabilities in the software or through deceptive acts such as phishing. Once installed, you can monitor communications such as emails, text messages, and phone calls, track locations, steal passwords, access files, and even control the device remotely. Any data collected can be sent covertly to the operator.

SEE: New GoFetch vulnerability in Apple M chips allows leak of secret keys on compromised computers

The spyware will work without alerting the user and can be deployed on any device that connects to the Internet. It is extremely difficult to know if a device has been infected without detailed forensic analysis.

According to Apple's support page, individually targeted attacks of this nature “have historically been associated with state actors, including private companies that develop mercenary spyware on their behalf, such as NSO Group's Pegasus.”

Apple added that mercenary spyware attacks are “much more complex” than typical malware attacks and “cost millions of dollars” to implement due to an exceptional amount of resources being used against a small group.

What are Apple threat notifications?

Apple said its threat notifications (Figure A) are “designed to inform and assist users who may have been individually targeted by mercenary spyware attacks.” Notifications do not necessarily mean that spyware has been successfully implanted on the user's device.

Figure A

Screenshot of a threat notification appearing on the Apple ID website. Image: apple

If a user is suspected of being attacked, they will receive a notification on any device they are signed in with their Apple ID. A message is sent by both email and iMessage, and a notification appears at the top of the appleid.apple.com web page.

The tech giant said it uses “internal threat intelligence information and research” to detect mercenary spyware attacks, but cannot reveal exactly what triggers a threat notification “as that may help mercenary spyware attackers tailor their behavior to evade detection in the future.

Apple added that threat notifications are “high-confidence alerts” that a device has been the target of a spyware attack, but its investigations “can never achieve absolute certainty.”

According to Amnesty International, forensic tests carried out by them and other civil society groups on devices that had received such notifications reported: “In many cases, these forensic checks have confirmed that the devices of people who had received the notifications were indeed attacked and compromised with advanced spyware.”

When did Apple start sending threat notifications?

According to Apple, the company has been sending threat alerts like this since 2021 and does so several times a year. To date, users in 150 countries have been notified of a similar attack.

The last time Apple sent a threat notification was on October 31, 2023 and it was received in several countries. Recipients were notified that they were being attacked by “state-sponsored attackers”; Since then, Apple no longer uses the term state-sponsored in its threat notification policy, Reuters reported. In December 2023, Amnesty International revealed that Israeli surveillance company NSO Group was behind the October attack after deploying Pegasus spyware against journalists.

Apple's advice to users to protect their devices from malware

Research has found that 97% of all executives now access work accounts through their personal devices, and the figure rises to 99% for senior management. This creates a backdoor for cybercriminals to access sensitive corporate data through spyware, so employees must take steps to ensure their device is secure.

SEE: Mobile Device Security Policy (TechRepublic Premium)

Apple offers the following tips to all users to help protect them against all types of malware:

  • Update devices with the latest software as it includes the latest security fixes.
  • Protect devices with a password.
  • Use two-factor authentication and a strong Apple ID password.
  • Install apps from the App Store.
  • Use strong, unique passwords online.
  • Do not click on links or attachments from unknown senders.
scroll to top