Apple's Global Security Alert: Mercenary Spyware Targeting iPhone Users

Pegasus, a sophisticated zero-click mobile surveillance spyware capable of infiltrating iOS and Android devices to secretly collect extensive information, is one of the major concerns

Pegasus and an iPhone
The lockdown feature of iPhones is reported to be effective in blocking the activity of the Pegasus spyware

Bleeping Computer, the technology news platform, has shared the global security alert Apple is now sending to iPhone users in ninety-two countries to warn them about ongoing mercenary spyware attacks.

"Apple has detected that you are being targeted by a mercenary spyware attack attempting to remotely compromise the iPhone associated with your Apple ID -xxx-," Apple’s alert states, explaining that mercenary spyware attacks, involving tools like Pegasus developed by the NSO Group, are a significant concern.

Read also: Roblox Unblocked - Free Robux Generators Spreading Malware on the Rise

According to Apple, mercenary spyware attacks stand apart from typical cybercriminal activities or consumer-grade malware due to their exceptional sophistication, often exploiting previously unknown vulnerabilities and software flaws, which in turn makes them quite costly.

In turn, Avast cybersecurity firm claims that "Pegasus is the most technically sophisticated spyware in history — used to track political leaders, journalists, and activists worldwide."

iMessage with a threat notification from Apple
Source: Apple

Avast describes Pegasus spyware, as a sophisticated zero-click mobile surveillance tool targeting iOS and Android devices, explaining that it "can be installed on a target’s phone without the victim needing to take any action themselves." Initially designed to combat terror and crime, Pegasus has evolved into a formidable cyber weapon with extensive data-collection capabilities, including monitoring app usage, tracking location data, accessing and retrieving texts and emails, and controlling a device’s microphone and camera.

Mercenary attacks are distinguished by their high level of targeting, tailored to specific individuals or a very small group of people.

"This attack is likely targeting you specifically because of who you are or what you do," Apple’s alert states. "Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning," the alert states, urging the recipient to take it seriously.

Apple’s warning also provides recommendations to help users minimize the impact of the attack.

Apple advises enabling lockdown mode through iPhone settings for enhanced privacy and security. It further suggests updating an affected iPhone to the latest version, iOS 17.4.1, and repeating these actions for all Apple devices in use.

Apple also recommends updating all messaging and cloud apps to leverage their most recent security improvements and "changing passwords for any sensitive websites and services accessed from your iPhone." Apple emphasizes that threat actors can potentially steal credentials for other services if their attack is successful.

"Enlist expert help, such as the nonprofit, rapid-response emergency security assistance provided by the Digital Security Helpline, available 24/7," Apple further suggests.

The news about the mercenary attack has sparked discussions within the user community. Some believe that Apple's ability to anticipate potential targets of such attacks indicates that the company may collect more information from devices than officially claimed.

While some in the community are confident that all iPhone traffic "goes back to Apple Servers through their secure proxy," others, like X user ErikExplains, suggest that there are ways to send such a notification "while preserving privacy," such as performing "a local state check for certain conditions and then popping up the notification when those conditions are met."

X user Omo also suggested a more drastic solution involving disabling JavaScript. "It will stop most of these complex chains dead in their tracks (Apple makes this easy because Safari/WebKit is used system-wide, even on third-party browsers)," Omo explains, adding that this will prevent many websites from loading, making the phone usable mainly for phone calls and sending and receiving SMS.

According to Omo, disabling JavaScript may help avoid exploit chains like "Operation Triangulation," which might have the capability to bypass the Lockdown mode.

Read also: Trojan Spyware, RiskTools, and Adware: Major Mobile Threats to Crypto Users

Runa Sandvik, founder of Granitt, a company focused on the digital security of at-risk individuals such as journalists and activists, provided more information on the way lockdown mode works in November 2023.

"Lockdown Mode is not extreme, even if Apple says so," Sandvik admits, acknowledging that this feature does offer protection against "extreme attacks, such as targeting an iPhone with sophisticated spyware." Sandvik emphasizes that this mode works as long as it is turned on, but it also provides flexibility, allowing users to exclude certain apps and sites if necessary.

"Lockdown Mode works on a managed device, but you need to install the profile before turning the mode on," Sandvik adds.

This was not the first instance where Apple warned its users about threat actors targeting their devices, including the Pegasus malware. Previously, Apple referred to these spying parties as "state-sponsored actors," but it now defines cybercriminals as mercenary actors due to the increasing prevalence of private criminal groups.