Apple says ‘mercenary software’ like Pegasus may be attacking certain iPhones. What is this threat, and should you worry?

The email said the “mercenary spyware attack…is trying to remotely compromise the iPhone associated with your Apple ID”, and that the attack is “likely targeting you specifically because of who you are or what you do”. It added that “Apple has high confidence in this warning”, and urged the recipients to “please take it seriously”.

What’s this threat about, and should you worry?

Who would want to attack a phone with mercenary spyware, as Apple says?

Apple has not said who the attackers may be. It has only said that attacks “such as those using Pegasus” are “exceptionally rare and vastly more sophisticated than regular cybercriminal activity or consumer malware”. These attacks, which are “ongoing and global”, are “individually deployed against a very small number of people”, the threat notification said.

Apple had sent a similar notification to some users in October 2023. On that occasion, Apple had said that “state-sponsored attackers” were “remotely trying to compromise” their iPhones. Following pressure from the government, Apple had subsequently clarified that it “does not attribute the threat notifications to any specific state-sponsored attacker”.

The recipients of the October 2023 emails included opposition politicians Shashi Tharoor of the Congress, Raghav Chadha of AAP, and Mahua Moitra of Trinamool Congress. A few journalists too had reported receiving the notification. Like the notification of April 11, the earlier notification too had said the recipients were being likely targeted because of who they were or what they did.

Was 2023 the first time Apple sent out these notifications?

Apple has been sending out these threat notifications since late 2021. These are automated messages that are sent out to alert and help iPhone users whenever Apple’s systems detect activity that matches certain specific patterns.

The “Threat Notification” is sent by email and iMessage to the email addresses and phone numbers that are linked to the affected user’s Apple ID. As part of the standard text of the message, Apple says it is unable to provide information about what causes them to issue the threat notifications, as that may help the attackers “adapt their behaviour to evade detection in the future”.

In a note issued before it sent out the October 2023 notification, Apple had said that it was “possible that some Apple threat notifications may be false alarms, or that some attacks are not detected”.

What should someone who receives such a notification do?

The notifications by Apple are accompanied by advice on some extra steps that users can take to protect their devices and safeguard their privacy. Some of the general security tips that Apple recommends are updating to the latest software versions, setting a passcode, enabling two-factor authentication, and using a strong password for the Apple ID.

It also recommends that users should download apps only from the App Store, use a different password for each online account, and avoid clicking on links or attachments from unknown sources.

Apple also suggests that users activate the Lockdown Mode, which is a feature introduced in its latest software updates to specifically protect against rare and sophisticated cyber attacks such as these. Activating the Lockdown Mode puts the device into a state of high security, where many usual functions are restricted or disabled. For example, a device in Lockdown Mode will not be able to send or receive attachments, links, or link previews in messages, to prevent attackers from accessing the user’s personal information.

Lockdown Mode is only available on devices that run iOS 16 or later, iPadOS 16 or later, watchOS 10 or later, and macOS Ventura or later.

This is an edited and updated version of an explainer that was first published on October 31, 2023.