The Government’s Spyware Has a New Target

Gregory Zuckerman
By Gregory Zuckerman
Technology
8 Min Read

If your phone has just belched to tell you that “government-backed” or “mercenary” spyware is snuffling through your messages and calendars, treat it like a smoke alarm going off: It is almost certainly real. The companies — Apple, Google and WhatsApp in particular — have gradually built up their alerting programs, and those messages are often rooted in hard telemetry, not guesswork. Google’s Threat Analysis Group has sent tens of thousands of government-backed attacker warnings a year, and Apple says that since 2021 it has reached users in over 150 countries, including with one broad wave affecting 92 countries last year.

Four steps to take, and four that you shouldn’t

Check the warning without panicking or overreacting

Begin with the premise that the alert does have merit. Companies like these detect targeted activity through reading logs from their devices, analyzing network patterns, exploit signatures and account abuse signals honed over years of tracking groups associated with tools such as Pegasus (NSO Group), Predator (Intellexa/Cytrox) and other commercial kits.

Table of Contents
A group of people protesting with signs and a banner that reads STOP NSO NO SURVEILLANCE TO & OPPRESSION in front of a modern building.

Keep in mind that a notification could indicate an attempt to breach rather than a failure. That difference makes a difference in next steps, but either way you need to tighten up your defenses right now.

Immediate measures to mitigate risk after alerts

Isolate the device. Do not factory-reset it yet. Shut it down, disconnect from Wi‑Fi and cell data if possible, and don’t click on new messages or attachments. Evidence can perish fast; when it’s saved, investigators might gain an insight into what occurred.

Have sensitive conversations from a clean device you control. You should assume that anything recently present on the alerted device — messages, photos, cloud tokens — has been potentially compromised.

Update first, then harden. On iPhone, update to the latest iOS and use Lockdown Mode. Apple says it hasn’t seen any successful remote compromises of its devices with Lockdown Mode turned on yet, though no defense is bulletproof. On Android, update everything there is to update (system updates, Play system updates), disable sideloading, and remove any apps you don’t recognize or care about.

Rebooting can expel certain in-memory implants employed in so-called “zero-click” attacks. It won’t be a cure and advanced spyware may manage to re-persist, but a daily restart is manageable friction you can add while you are seeking help.

Harden accounts and cloud backups to limit fallout

Secure accounts that are linked to the device. Google: Enroll in Advanced Protection and use two physical security keys or passkeys; review third-party access, then revoke old tokens. For Apple, enable Advanced Data Protection for iCloud to widen end-to-end encryption, rotate your Apple ID password, and examine devices the platform connects to.

Change passwords on a known-clean device, not one that signaled the alert. Focus on your email, messaging and cloud storage, plus your password manager and tail-end social media accounts.

Get forensic help, not just advice, from experts

Self-tests can make good first passes. The Mobile Verification Toolkit (MVT) from Amnesty International’s Security Lab, for example, can search for evidence of known iOS and Android spyware. It is somewhat technical to run and best run from a separate computer.

If you are a journalist, an activist, an academic or a rights defender, get in touch with Access Now’s Digital Security Helpline, Amnesty’s Security Lab or the Citizen Lab at the University of Toronto. Reporters Without Borders also provides financial assistance for newsroom investigations. These communities are triaging cases, reviewing diagnostics, and may escalate to full forensic analysis.

A classical painting depicting a winged horse, Pegasus, being led by a figure in armor, with another mythological figure running alongside.

For high-level executives and political organizations, consider well-regarded private teams with experience in the space like iVerify, Lookout’s threat intelligence and forensics group, Safety Sync Group, or Hexordia.

Use case: preliminary remote diagnostics and chain-of-custody

The user will have a preliminary remote analysis of diagnostics with the option to then do backup or device acquisition chain-of-custody if further investigation is necessary.

Anticipate elusive malware and scarce evidence

Today’s mercenary spyware acts like a “smash-and-grab” thief: silent device compromise, maximum data exfiltration and then making itself disappear to counter forensics. It means your investigators might uncover strong evidence of targeting but not a permanent implant.

Real-world cases illustrate the spread: WhatsApp’s 2019 lawsuit claimed Pegasus attacked 1,400 users through a call vulnerability; investigators have since revealed Predator-related campaigns targeting journalists and politicians in Greece; multiple governments are under scrutiny as part of the EU Parliament’s PEGA inquiry. The United States has put the NSO Group and Candiru on a blacklist and has placed sanctions on entities in the Intellexa network. Some exploit brokers have announced seven-figure payouts for zero-click chains, highlighting the level of sophistication at work.

Determine what to reveal, to whom, and when to speak

Collaborate with investigators and your attorney on communications. Publicly attributing an offender can discourage others from doing the same thing and provide a warning to colleagues, but it also may put you at risk of retaliation or show where your defenses are weak. Quiet remediation — vendor disclosure, discussing with your organization’s security team, and a report to your national CERT or data protection authority — can be equally effective.

If you are covering sensitive sources or trade secrets, seek the advice of legal counsel regarding your obligations to notify and cross-border data risks. Keep records: alerts, screenshots, logs and investigator reports.

Build long-term resilience against targeted spyware

Revisit your threat model. Divide work and personal life between different devices and accounts. Reduce the attack surface by limiting iMessage and FaceTime exposure with Lockdown Mode, blocking unknown callers, and disabling preview features (things like rich links or a media attachment) that automatically render content.

Use hardware security keys or passkeys wherever possible, turn on automatic updates, and minimize high-risk plug-ins and extensions. Watch out for travel gadgets, communal chargers and QR codes. Continuously monitor which services are accessing your cloud data.

The uncomfortable truth: You can do all the right things and still become a target. But rapid isolation, effective forensics and disciplined account hardening can significantly shrink the attacker’s window — and that can be the difference between a scare and a breach.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News