News & Stories

Apple sends a spyware warning to users in 98 countries

Ray Fernandez

Jul 18, 20245 min read

Apple sends a spyware warning to users in 98 countries: Header image

For the second time in 2024, Apple has issued a new threat notification alert to iPhone users across 98 countries. The warning is clear. Apple said those contacted are specifically being targeted “for who they are and what they do” by mercenary spyware attacks. 

Apple threat notifications are nothing new. The company has issued these types of notifications to users in over 150 countries since 2021. And the infamous NSO Group-developed Pegasus spyware has been repeatedly linked to Apple mercenary spyware attacks in the past years. 

What Apple’s threat notification says, and what it does not say

Apple hasn’t gone into detail about the sort of threat the iPhone users who received notifications are facing. The reason for this is to prevent mercenary spyware attackers from adapting their behavior and evading detection in the future. However, recent legal developments in a court case against the Israeli NSO Group and other news could be at the core of the problem. 

Apple’s threat notification to targeted users reads as follows: 

“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx.” 

As mentioned, Apple left no room for doubt when explaining to iPhone users why they were being targeted: 

“This attack is likely targeting you specifically because of who you are or what you do.”

Apple recognized that it’s impossible to be 100% certain when it comes to detecting targets and attacks. Still, the company said it has “high confidence in this warning” and urged users to “take it seriously.” 

Analysis of countries that might have received Apple notifications

It is unknown what countries the targeted iPhone users reside in. However, an article from The Times of India confirmed that users in the country were among those who received threat notifications. 

Users from India also received previous Apple iPhone mercenary spyware notifications. Amnesty International has been warning for years that high-profile journalists and politicians in India have been targeted and infected with Pegasus spyware. 

Mercenary spyware like Pegasus is used by governments and interest groups to spy on journalists, political activists, and similar targets. The result of these illegal espionage campaigns has resulted in death, criminal prosecution, imprisonment, human rights violations, and opposition persecution. 

In 2021, the BBC reported that since 2016, more than 50,000 people were targeted by Pegasus. In October 2018, Jamal Khashoggi, a US-based critic of Saudi Arabia’s government, was murdered and dismembered in the Saudi consulate in Istanbul. The investigation revealed that the spyware was being used to spy on Khashoggi’s inner circle. 

A screenshot of the website of NSO Group, makers of Pegasus.
The website of NSO Group, makers of Pegasus. Image: Screenshot, Moonlock.

Besides reports of the spyware in India, Citizen Lab has identified Pegasus spyware targeting users in Mexico, the Nagorno-Karabakh conflict between Armenia and Azerbaijan, Thailand’s Pro-Democracy Movement, Jordanian human rights defenders and journalists, Bahraini activists, press and civil society in El Salvador, Palestine human rights defenders, New York Times journalists, Russian opposition voices, and more.  

In May, Citizen Lab researchers — who have, for years, monitored Israeli spyware firm NSO Group and its product, Pegasus — confirmed that 7 Russian and Belarusian-speaking independent journalists and opposition activists were targeted or infected by Pegasus. These new victims of the spyware all live in Europe in exile and have faced intense threats from Moscow over their opposition to the war in Ukraine. 

Recently, in another chapter of the legal case against the NSO Group, the Pegasus vendor said in a court filing that it believes it is appropriate for its global clients to target any high-ranking government or military official, as they are “legitimate intelligence targets.”

NSO Group continues to argue that a majority of VIP targets are involved in criminal activities and terrorism. A legal victory against the Pegasus maker would help legal entities and law enforcement put an end to the use of the spyware.

However, the never-ending legal challenges against the NSO Group continually delay the definition of the legality of the use of Pegasus, damaging journalists, human rights activists, opposition voices, and others who do not align with specific government agendas.    

An image of the recent NSO Group court filing, in which the company says "VIPs" are valid targets for espionage.
A recent NSO Group court filing, in which the company says “VIPs” are valid targets for espionage.

I received an Apple threat notification. What should I do?

Apple explained that while the vast majority of users will never be targeted by sophisticated mercenary spyware attacks, diplomats, politicians, government officials, and journalists are under ongoing global threats.  

Apple said that once it detects activity consistent with a mercenary spyware attack, it will notify the targeted users. The notifications reach affected users in two ways:

  1. When they sign in to appleid.apple.com, a Threat Notification warning will be clearly displayed at the top of the page.
  2. Additionally, an email and iMessage notification from Apple to the email addresses and phone numbers associated with the user’s Apple ID will be sent.
A screenshot of Apple support showing the Threat Notification warning at the top of the Apple ID page.
Apple’s Support page shows the Threat Notification warning at the top of the Apple ID page. Apple ID is a trademark of Apple Inc.

The notifications provide additional steps that users can take to protect their devices, including enabling the hard-line defense feature Lockdown Mode.

Lockdown Mode will dramatically reduce the digital attack surface of affected users. While many features and services do not work when Lockdown Mode is enabled, the tool is a highly effective proactive security measure for iPhone users.

When sending threat notifications, Apple will never ask users to click on links, open files, or install apps on profiles. Apple won’t even ask those affected to provide their Apple ID password or verification code by email or on the phone. If you have received a threat notification that asks for any of these, it is not legitimate and is likely a social engineering scam. 

Final thoughts on how to stay safe

Apple urges users who receive an Apple threat notification to get expert help, such as the rapid-response emergency security assistance of the Digital Security Helpline. The Helpline is run by the nonprofit Access Now and is available online 24 hours a day, 7 days a week. 

Updating software, using passcodes, biometrics, and 2FA, and remaining vigilant on what you download, click, or open is vital. 

If you have not received an Apple threat notification but have reason to believe you may be individually targeted by mercenary spyware attacks, you can enable Lockdown Mode on your Apple devices for additional protection.

This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. iPhone and Apple ID are trademarks of Apple Inc.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.