Apple’s iPhone Spyware Problem Is Getting Worse. Here’s What You Should Know
The iPhone manufacturer has identified spyware attacks targeting individuals in over 150 countries. Determining if your device has been compromised may be challenging, but there are several measures you can implement to safeguard yourself.
In April, Apple took swift action by notifying iPhone users in 92 countries that they had been targeted with spyware. This mercenary spyware attack sought to compromise the iPhones associated with users’ Apple IDs, as revealed in the alarming notification sent by Apple.
Following the incident, users turned to social media platforms in an attempt to decipher the meaning of the notification. It is concerning that a large number of those targeted were based in India, with reports of Apple’s warning also emerging from Europe.
Despite the passage of weeks, the details of these latest iPhone attacks remain shrouded in mystery. Although former smartphone giant Blackberry, now a security firm, released research tying the attacks to a Chinese spyware campaign named “LightSpy,” Apple’s spokesperson Shane Bauer has dismissed this as inaccurate. Additionally, experts at security firm Huntress have indicated that the variant analyzed by Blackberry was a macOS version, not iOS.
Notably, April’s warning is not the first of its kind from Apple. The tech company has issued alerts to individuals in over 150 countries since 2021, as spyware continues to pose threats to high-profile individuals worldwide.
It is crucial to understand that spyware can be wielded as a weapon by nation-state adversaries, albeit infrequently and at considerable expense. These attacks are meticulously targeted at specific groups, including journalists, political dissidents, government workers, and businesses in specific sectors.
Apple’s advisory in April highlighted the significant complexity and resources mobilized by mercenary spyware attackers to target a restricted number of individuals and their devices. These attacks come at exorbitant costs and are challenging to detect and thwart. The majority of users are unlikely to fall victim to such attacks.
Moreover, Apple asserts that its Lockdown Mode feature offers robust protection against such attacks. According to Bauer, there are no reported successful attacks on devices utilizing Lockdown Mode. Nevertheless, for those who are targeted and caught off guard, spyware presents an extremely grave threat.
Zero Click Attacks
Spyware grants attackers unauthorized access to a smartphone’s microphone, enabling them to monitor conversations, as well as intercept and read encrypted messages from apps like WhatsApp and Signal. The spyware also allows them to track the user’s location, extract passwords, and gather sensitive information from various applications.
While in the past, spyware was typically delivered through phishing attempts, where the victim had to click on a malicious link or download an image, today it has evolved into more sophisticated methods known as “zero-click attacks.” These attacks can be initiated by simply receiving an iMessage or WhatsApp image, which, without any interaction from the user, installs the spyware on the device automatically.
In 2021, Google’s Project Zero researchers unveiled the use of an iMessage-based zero-click exploit targeting a Saudi activist, emphasizing that there is no effective defense against such exploits. They stated that aside from not using a device at all, there is no way to prevent being targeted by a zero-click attack, making it a formidable weapon that cannot be easily countered.
The spyware infection chain utilizing zero-click exploits via iMessage was demonstrated by cybersecurity firm Kaspersky as part of its Operation Triangulation research last year. The process involves the victim receiving an iMessage with an attachment carrying a zero-click exploit. Once the message is received, the vulnerability is triggered automatically, executing code that grants the attacker full control over the compromised device.
Importantly, once the attacker has established their presence on the device, the incriminating message is promptly deleted, leaving little trace of their intrusion.
Rise of Pegasus
Pegasus on the Rise: The Ongoing Battle Against Spyware
At the forefront of the spyware arena stands Pegasus, a notorious creation by Israeli company NSO Group designed to exploit vulnerabilities in iOS and Android software.
The existence of spyware can be attributed to vendors like NSO Group, claiming to exclusively provide exploits to governments for the purpose of hunting criminals and terrorists. “However,” explains Richard Werner, a cybersecurity advisor at Trend Micro, “these exploits come with the condition that customers, including governments in Europe and North America, must not disclose the vulnerabilities.”
Contrary to NSO Group’s claims, spyware continues to pose a threat, targeting journalists, dissidents, and protesters. Hanan Elatr, the wife of late Saudi journalist and dissident Jamal Khashoggi, was purportedly targeted with Pegasus before his tragic death. Similarly, in 2021, New York Times reporter Ben Hubbard discovered that his phone had been targeted twice with Pegasus.
Pegasus silently infiltrated Claude Magnin’s iPhone, the wife of political activist Naama Asfari, who was imprisoned and allegedly tortured in Morocco. Furthermore, Pegasus has been employed against pro-democracy demonstrators in Thailand, Russian journalist Galina Timchenko, and even UK government officials.
Responding to the mounting threat, Apple has taken legal action against NSO Group and its parent company, seeking accountability for “the surveillance and targeting of Apple users.”
While the legal battle is ongoing, with NSO Group attempting to dismiss the lawsuit, experts predict that the problem will persist as long as spyware vendors are allowed to operate.
David Ruiz, senior privacy advocate at security firm Malwarebytes, points the finger at “the obsessive and oppressive operators behind spyware, who exacerbate its harm to society.”
The Spyware Drain
If you suspect that you’re being targeted by spyware, there are a few important steps you can take. Firstly, activate Apple’s Lockdown Mode to safeguard your iPhone from potential infections. Despite disabling certain features, Lockdown Mode remains surprisingly usable and effective. Secondly, if you believe your device is already infected, seek assistance from helplines like Access Now’s Digital Security Helpline or Amnesty International’s Security Lab, as they can provide helpful guidance on spyware removal.
Detecting spyware can be extremely challenging, especially with advanced forms like Pegasus. Discovering an infection by yourself is practically impossible. However, there are less-sophisticated types of spyware that can exhibit unusual behavior such as rapid battery drain, unexpected shutdowns, or excessive data usage. These signs may indicate an infection, according to Javvad Malik, a lead security awareness advocate. Although there are apps claiming to detect spyware, their effectiveness can vary, and it’s often best to seek professional help for reliable detection.
Chris Hauk, a consumer privacy advocate, also points out that significant battery drain is a strong indicator of unsophisticated spyware. Most spyware isn’t developed to run efficiently, leading to a faster depletion of battery life.
However, sophisticated spyware like Pegasus doesn’t exhibit obvious indicators like battery drain or data-usage issues, says Apple’s Bauer. These symptoms are more relevant to basic Android spyware, not the highly targeted mercenary spyware that can go undetected on users’ devices.
If you suspect you’re targeted by lower-grade spyware, be vigilant for unfamiliar apps, forced browser redirects, and changes to default browser or search engine settings.
Kaspersky’s team introduced a method to detect indicators of infection from sophisticated iOS spyware like Pegasus, Reign, and Predator. This method can be effective as Pegasus infections leave traces in the unexpected system log, Shutdown.log, within the sysdiagnose archive of iOS devices. However, it’s crucial to work with professionals like Access Now and Amnesty to uncover sophisticated spyware infections. It’s also advisable to keep the potentially infected device for professional analysis.
Restarting your device at least once a day can also help safeguard against spyware. It increases the chances of detection over time by forcing attackers to repeatedly reinfect the device. However, this method is only effective against unsophisticated spyware, as highly developed spyware can persist on the device.
To further protect your device if you suspect you’re being targeted, consider disabling iMessage and FaceTime to reduce the risk of falling victim to zero-click attacks. Additionally, keep your device updated with the latest software and avoid clicking on links received in messages, including emails. Following these precautions along with using multifactor authentication and installing applications from verified sources can enhance your device’s security, advises Adam Price, a cyber threat intelligence analyst.
Updated 4:15 pm ET, May 6, 2024: Apple has informed WIRED that its “latest threat notifications” were not related to LightSpy as suggested by recent research from Blackberry. Apple also disputes claims that battery drain, shutdowns, and high data usage indicate a spyware infection, considering them “unsubstantiated.” Furthermore, highly sophisticated spyware infections on iOS are rare, as highlighted by WIRED.