Government Spyware: Protect Yourself Now!

Jay Gibson received an unexpected notification on his iPhone one ordinary day: “Apple detected a targeted mercenary spyware attack against your iPhone.” The irony? Gibson previously worked at companies developing similar spyware. Despite his experience, the notification was shocking. He immediately contacted his father, powered down his phone, and purchased a new one. “I was panicking,” he told GearTech. “It was a huge mess.”

The Rising Threat of Government Spyware

Gibson’s experience isn’t isolated. Increasingly, users are receiving similar warnings from Apple, Google, and WhatsApp, signaling targeted spyware attacks. Tech companies are becoming more proactive in alerting users to threats from government hackers, particularly those employing spyware from companies like Intellexa, NSO Group, and Paragon Solutions. However, the responsibility for what happens next largely falls on the individual.

While these companies alert users, they generally don’t provide extensive follow-up assistance. They offer guidance to resources that can help, but then step back, leaving individuals to navigate a complex and potentially frightening situation. This article will guide you through the steps to take if you receive such a notification, and how to proactively protect yourself.

What to Do When You Receive a Spyware Warning

Take the Notification Seriously

These tech giants possess vast amounts of telemetry data and have dedicated security teams analyzing malicious activity for years. If Apple, Google, or WhatsApp believes you’ve been targeted, their assessment is highly likely to be accurate. Don't dismiss the warning as a false alarm.

It’s crucial to understand that receiving a notification doesn’t automatically mean your device has been compromised. In the case of Apple and WhatsApp, the attempt may have failed, but the system detected the malicious activity. However, caution is paramount.

Google’s Warnings: Enhanced Protection is Key

A Google notification typically indicates the company has blocked an attack. Google will prompt you to strengthen your account security by enabling multi-factor authentication (ideally using a physical security key or passkey) and activating its Advanced Protection Program. This program adds further layers of security, including requiring a security key for access.

Apple’s Lockdown Mode: A Powerful Defense

Within the Apple ecosystem, activating Lockdown Mode is a critical step. This feature enables a series of extreme security measures, significantly hindering hacking attempts. Apple claims no successful hacks have been recorded against users with Lockdown Mode enabled, though no system is entirely impenetrable.

Expert Advice from Access Now’s Digital Security Helpline

Mohammed Al-Maskati, director of Access Now’s Digital Security Helpline, a 24/7 global team assisting those targeted by spyware, offers the following advice:

• Keep your devices and apps updated: Regularly install the latest operating system and application updates.
• Enable Lockdown Mode (Apple) and Advanced Protection (Google): Utilize these features for enhanced security.
• Be cautious with links and attachments: Avoid clicking on suspicious links or opening unexpected attachments.
• Regularly restart your phone: This can disrupt malicious processes.
• Monitor device functionality: Pay attention to any unusual behavior or changes in performance.

Seeking Assistance: Who to Contact

The next steps depend on your profile. Fortunately, resources are available, but access varies.

DIY Detection with MVT

For those with technical expertise, the Mobile Verification Toolkit (MVT) is an open-source tool that allows you to scan your device for forensic traces of a spyware attack. This can be a useful first step before seeking professional help.

Support for Journalists, Activists, and Researchers

If you are a journalist, dissident, academic, or human rights activist, several organizations can provide assistance:

• Access Now’s Digital Security Helpline: Offers 24/7 support and investigation.
• Amnesty International: Provides investigative expertise and support.
• The Citizen Lab: A leading digital rights group specializing in spyware research.
• Reporters Without Borders: Offers a digital security lab for investigating hacking and surveillance.

Support for Executives and Others

Politicians, business executives, and others outside of the aforementioned categories may need to explore alternative options.

Large companies and political organizations often have internal security teams capable of handling such incidents. If not, they likely have connections to external security firms. For individuals without these resources, several private security companies offer forensic investigation services:

• iVerify: Offers an app for Android and iOS, along with in-depth forensic investigations.
• Safety Sync Group: A new startup founded by security expert Matt Mitchell, providing similar services.
• Hexordia: Founded by forensic investigator Jessica Hyde, specializing in hack investigations.
• Lookout: A mobile cybersecurity company with experience analyzing government spyware, offering an online form for reporting cyberattacks.
• TLPBLACK: Led by Costin Raiu, a team of security researchers with a proven track record of uncovering sophisticated cyberattacks. You can contact them directly via email.

The Investigation Process

The investigation process varies depending on the organization you contact. Typically, they will request a diagnostic report from your device, which can be shared remotely. This initial assessment can detect signs of targeting or infection.

If further investigation is needed, you may be asked to provide a full device backup or even the device itself. The investigators will then analyze the data, a process that can take time as modern spyware attempts to conceal its presence.

Unfortunately, advanced spyware often leaves no discernible traces. Hassan Selmi of Access Now’s Digital Security Helpline explains that the current modus operandi is a “smash and grab” strategy: spyware steals data and then attempts to remove all evidence of its presence.

Public Disclosure and Accountability

If you are a journalist, activist, or researcher, the organizations assisting you may ask if you wish to publicize the attack. This is not mandatory, but can be beneficial for several reasons:

• Denounce government targeting: Raise awareness about the abuse of spyware.
• Warn others: Alert individuals at risk of similar attacks.
• Expose spyware companies: Highlight the misuse of their technology.

Staying Safe in a Digital World

Receiving a spyware notification is a serious event. However, by taking swift action and utilizing the resources available, you can mitigate the damage and protect yourself. Proactive security measures, such as enabling Lockdown Mode, using Advanced Protection, and practicing safe online habits, are essential in today’s digital landscape. We hope you never receive one of these notifications, but if you do, this guide will help you navigate the situation effectively. Stay vigilant and stay safe.