Recent events saw numerous iPhone and Android users alerted to potential spyware targeting their devices. Subsequently, both Apple and Google released security updates to address vulnerabilities believed to have been exploited for installing this discreet malware on specific phones.
Spyware presents a severe risk, allowing attackers to monitor all smartphone activities, including communications on encrypted platforms like WhatsApp and Signal. Historically, this malware has primarily targeted high-value individuals such as dissidents, journalists, politicians, and business leaders in sensitive fields.
Notable individuals, including former Amazon CEO Jeff Bezos and Hanan Elatr, the spouse of Jamal Khashoggi, have been victims of NSO Group’s Pegasus spyware.
While prevalent among these specific groups, experts suggest spyware’s reach is expanding. Google’s researchers recently detailed an exploit chain used to covertly install Predator spyware on devices, coinciding with threat notifications issued by the company.
This followed a warning from the US Cybersecurity and Infrastructure Security Agency (CISA), which cautioned that commercial spyware is actively being used by malicious actors to target mobile messaging applications.
Given the escalating risks, understanding how to safeguard an Android device or Apple iPhone is essential.
Understanding Zero-Click Attacks
Smartphones are frequently compromised by spyware through “zero-click” attacks. These sophisticated attacks allow a device to become infected without any user interaction, such as clicking a link or downloading a file.
Traditional mitigation methods are ineffective against such attacks. According to Pieter Arntz, a senior malware researcher at security firm Malwarebytes, once spyware infects a smartphone, attackers can access messages, record keystrokes, capture screenshots, monitor notifications, and even access banking applications.
Rocky Cole, cofounder of iVerify, an app designed to detect spyware, explains that with complete system access, spyware can exfiltrate data like emails and texts, send messages, steal credentials, and log into cloud systems.
Beyond zero-click methods, devices can also be infected if a user clicks on a malicious link received via text, email, or social media. Spyware can also be disguised within seemingly legitimate applications, hidden in image files downloaded through messages, or exploit browser vulnerabilities.
Richard LaTulip, a field CISO at security company Recorded Future, which collaborated with Google on Predator spyware research, notes that while malicious links and fake apps are common infection vectors, more subtle methods are also being employed.
LaTulip highlights recent research on malicious browser extensions, which affected millions, demonstrating how seemingly innocuous tools can transform into surveillance mechanisms.
Such techniques, frequently developed by government-linked adversaries, suggest a shift towards “more covert, persistent, and deeply embedded device compromises.”
The Expanding Scope of Spyware
Spyware has emerged as a significant concern in recent years. While governments and the companies developing this malware claim it is exclusively for targeting criminals, terrorists, or national security threats, its application often extends beyond these stated purposes.
Rebecca White, Amnesty International’s researcher on targeted surveillance, states that human rights activists, journalists, and others globally have been unlawfully targeted. This indicates spyware’s potential as a tool of repression, used to silence individuals who challenge authority.
A notable case is Thai activist Niraphorn Onnkhaow, who was targeted 14 times by Pegasus spyware during Thailand’s pro-democracy protests between 2020 and 2021. Fearing her private data could be exploited, she subsequently withdrew from the movement.
White emphasizes that data can be weaponized, leading to increased abuse both online and offline, particularly for individuals already facing discrimination based on identity, such as gender or race.
Beyond activists, mobile spyware is increasingly targeting a broader demographic, including those in business environments. Cole from iVerify notes that it affects “a wide range of society,” from government officials to financial IT workers, and is increasingly used to steal credentials for enterprise access, moving beyond mere intelligence gathering.
Indicators of Spyware Infection
Detecting spyware, especially advanced versions such as Pegasus and Predator, is challenging and often requires forensic analysis. However, subtle indicators might include a device overheating, experiencing performance slowdowns, or the camera or microphone activating unexpectedly.
LaTulip adds that while sophisticated spyware may leave minimal visible traces, sudden performance degradation or connectivity issues can act as early warning signals.
A more direct sign of a sophisticated attack is an official threat notification from companies like Apple, Meta, or Google, which White advises should be taken seriously.
Other potential signs include the leakage of previously unshared private information, or if close contacts like colleagues or friends have also been compromised.
Preventing and Mitigating Spyware Threats
The most effective approach to counter spyware is proactive prevention. For iPhone users at risk, Apple provides Lockdown Mode. This feature offers enhanced security by limiting certain functionalities, such as blocking most message attachments and incoming FaceTime calls from new contacts. Its capabilities have been refined through updates.
To activate Lockdown Mode on an iPhone, navigate to Settings > Privacy & Security > Lockdown Mode, then tap Turn On Lockdown Mode.
Ivan Krstić, Apple’s vice president of security engineering and architecture, states that widespread malware attacks against the iPhone have not occurred. Apple has observed system-level iOS attacks only from mercenary spyware, indicating that only the most sophisticated types of spyware have successfully infected iPhones.
Krstić explains that mercenary spyware is typically linked to state actors, costing millions to target a select few individuals and their devices. He notes Apple’s ongoing efforts to combat spyware, including Lockdown Mode and Memory Integrity Enforcement. This latter feature, introduced with the latest iPhone models, offers “comprehensive, always-on memory-safety protection” to counter memory corruption exploits frequently used in spyware attacks.
Krstić expresses confidence in Memory Integrity Enforcement, calling it “the most significant upgrade to memory safety in the history of consumer operating systems.”
For Android users, Google provides Advanced Protection, a spyware defense feature. Android 16 enhancements include intrusion logging, USB protection, and the ability to disable automatic reconnection to insecure networks. This can be activated through Settings > Security & Privacy > Other Settings > Advanced Protection.
White advises all users to be cautious about clicking links from unknown sources and to monitor device functionality for unusual changes. She suggests that a reputable VPN can aid in preventing certain types of surveillance and censorship. Additionally, users should carefully evaluate new social media follower requests before accepting them. For private and anonymous browsing, accessing Amnesty’s secure onion website via the Tor network’s browser is recommended.
Arntz also recommends maintaining “strict control” over all installations on a device.
It is also important to avoid side-loading applications on Android devices and to keep both the mobile operating system and all apps fully updated. LaTulip cautions that “patches often close the same vulnerabilities that spyware relies on.”
Experts suggest that restarting a smartphone can temporarily disrupt spyware. However, if a device is confirmed to be infected, replacing it entirely is often recommended as the most secure solution.
For civil society members concerned about spyware targeting, organizations like Access Now and Reporters Without Borders offer support, in addition to Amnesty International.
LaTulip advises maintaining a healthy skepticism, acknowledging that compromise is possible without succumbing to paranoia that hinders normal device usage.
