Developers of so-called mercenary spyware, and the governments and organisations that use such products, are once again the subject of a major Apple security alert, after Cupertino issues warnings to iOS device users in 92 countries.
In the alert email, Apple informed users that it had detected they were being targeted by a mercenary spyware attack that was trying to remotely compromise the device associated with their Apple identities.
“This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning—please take it seriously,” the email reads.
Such threat notifications are designed to inform and assist users who have been individually targeted by such attacks, which are distinct from more run-of-the-mill cyber criminal activity in that the malware used is supposedly legitimate and generally deployed by nation states against targets of interest.
The vast majority of iPhone users will never be targeted by such attacks, which apart from anything else are extremely costly to organise, but over the past couple of years, malware developed by private companies – famously the disgraced Israeli developer NSO, which makes a product called Pegasus that has been implicated in various human rights abuses – has been deployed against prominent targets including activists, diplomats, journalists and politicians.
Such is the scale of the problem that Apple now sends threat notifications on a semi-regular basis, although when it does so it now does not attribute the attacks to any specific organisations or countries. It has also recently stopped using the term state-sponsored, which it has been suggested is a response to pressure from the Indian government, which has been accused of such activity.
“This notification from Apple about the iPhone attack is particularly alarming when looking at the scale and precision of this campaign. When a company like Apple, known for its robust security measures, raises an alarm across 92 countries, it underscores not just the sophistication but the audacity of these attackers,” said KnowBe4’s lead security awareness advocate, Javvad Malik.
“What stands out in Apple’s warning is the phrase ‘mercenary spyware attack.’ This isn’t about broad nets cast wide in the hope of catching unsuspecting users. It’s a clear, sharp spear aimed with precision with tools that are now available to the highest bidder, regardless of their motives.
“This is particularly important for individuals in positions of influence or with access to sensitive information, to be ever-vigilant about their digital security. Apple’s proactive stance in notifying affected users and the broader public is commendable. It’s a reminder that in the digital age, staying ahead of cyber threats requires constant vigilance, both from organisations and individuals to reduce the likelihood of successful attacks,” said Malik.
Was I a target?
Targets of the identified activity should all have see a notice to this effect at the top of the page if they sign into appleid.apple.com, and Apple has also sent warnings via email and iMessage notification to the email addresses and phone numbers associated with the user’s ID. The notifications also detail additional steps that targeted users can take to protect their devices, such as turning on Lockdown Mode.
Users that receive notifications are strongly advised by Apple to enlist help – it recommends the Digital Security Helpline run by the Access Now non-profit, which works with Apple and can assist targeted users with tailored guidance.
Users that do not receive notifications do not need to take any action, but may wish to turn on additional Apple security features too. As a matter of course, all users should be keeping iOS devices fully updated and protected with a passcode, using two-factor authentication and strong credentials to protect their Apple IDs, using strong and unique passwords everywhere they go online, only installing legitimate apps from the App Store, and not clicking on unsolicited links or attachments from unknown senders.
Ted Miracco, CEO of Approov, a specialist in mobile app security, said: “For Apple users, one of the most significant steps you can take to protect your data is enabling Advanced Data Protection for iCloud. This feature significantly enhances the security by using end-to-end encryption for a broader range of data types.
“We strongly urge users who might be at higher risk due to their profession or visibility, to also enable Lockdown Mode on their Apple devices. Lockdown Mode is a comprehensive shield designed to prevent the most advanced digital threats by limiting the attack surface that spyware exploits.”
False sense of security
Historically, said Miracco, some Apple users may have had a false sense of security when it came to the risks and threats facing their devices. However, he warned, the default settings on iOS are not designed to guard against more sophisticated intrusions like mercenary spyware.
“The default settings on iOS are seemingly designed for user experience and convenience…. This reality is parallel to that of Android devices, where default settings also aim to balance security with user convenience and so fall far short against highly-targeted and well-funded attacks,” he said.
“The key point here is not to single out one platform over another but to highlight the broader industry challenge. The existence of features like Lockdown Mode and Advanced Data Protection for iCloud on Apple devices underscores the company’s awareness of these sophisticated threats, and a commitment to offering tools that users can employ to enhance their security.
“However, these tools often require manual activation and a deeper understanding of the potential threats, leading to a gap in security for users who do not adjust beyond the default settings,” he said.