It was an ordinary day when Jay Gibson received an unexpected notification on his iPhone. “Apple has detected a targeted spyware attack on your iPhone,” the message read.
Ironically, Mr. Gibson once worked for a company that developed the very type of spyware that could trigger such notifications. Still, he was shocked to receive the notification on his phone. He called his father, turned off his cell phone, and went to buy a new cell phone.
“I was panicking,” he told TechCrunch. “It was a mess. It was a huge mess.”
Gibson is just one of a growing number of people receiving notifications from companies like Apple, Google and WhatsApp. All of these companies send similar warnings to users about spyware attacks. Technology companies are becoming more proactive in warning users if they are targeted by government hackers, especially those using spyware created by companies like Intellexa, NSO Group, and Paragon Solutions.
But while Apple, Google and WhatsApp have issued warnings, they are not involved in what happens next. Tech companies direct users to people who might be able to help them, but at that point they back off.
This is what happens when you receive one of these warnings.
caveat
You received a notification that you have been targeted by government hackers. Well, what is it?
First of all, please take it seriously. These companies have large amounts of telemetry data about you and what’s happening with both your devices and online accounts. These tech giants have security teams that have been tracking, researching, and analyzing this type of malicious activity for years. If they think you’re being targeted, they’re probably right.
In the case of Apple and WhatsApp notifications, it’s important to note that receiving a notification doesn’t necessarily mean you’ve been hacked. The hacking attempt may have failed, but it still shows that someone tried.
In the case of Google, the company likely blocked the attack and you should access your account and make sure multi-factor authentication (ideally a physical security key or passkey) is turned on, as well as the Advanced Protection program. This requires a security key and adds another layer of security to your Google Account. In other words, Google can teach you how to better protect yourself in the future.
In the Apple ecosystem, lockdown mode must be turned on. This turns on a series of security features that make it harder for hackers to target Apple devices. Apple has long maintained that there have been no successful hacks against users with Lockdown Mode enabled, but no system is perfect.
Mohammed Al Maskati, director of the Digital Security Helpline at Access Now, a global team of security experts that investigates spyware incidents against members of civil society 24/7, shared with TechCrunch the advice the helpline gives to people concerned about being targeted by government spyware.
This advice includes keeping your device’s operating system and apps up to date. Turn on Apple’s Lockdown Mode and Google’s Advanced Protection for your account and Android devices. Be wary of suspicious links and attachments. Restart your phone regularly. And you need to pay attention to changes in the functionality of the device.
inquiry
Did you receive a notification from Apple, Google, or WhatsApp that you’re being targeted by spyware? Or do you have information about the spyware manufacturer? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely from your non-work device on Signal (+1 917 257 1382), on Telegram and Keybase @lorenzofb, or by email.
ask for help
What happens next depends on who you are.
There is an open source, downloadable tool that anyone can use to detect suspected spyware attacks on their devices, but it does require some technical knowledge. Mobile Verification Toolkit (MVT) is a tool that allows you to look for forensic evidence of an attack yourself, perhaps as a first step before seeking assistance.
If you don’t want or can’t use MVT, you can contact someone directly who can help. If you’re a journalist, dissident, academic, or human rights activist, there are several organizations that can help.
You can contact Access Now and its Digital Security Helpline. You can also contact Amnesty International. Amnesty International has its own investigative team and has extensive experience in such cases. Alternatively, you can contact The Citizen Lab, a digital rights group at the University of Toronto that has been researching spyware abuse for about 15 years.
If you’re a journalist, Reporters Without Borders also has a Digital Security Lab that offers investigations into suspected hacking and surveillance incidents.
People outside these categories, such as politicians and business executives, will have to go elsewhere.
If you work for a large company or political party, you probably have a competent (hopefully!) security team readily available. They may not have the specific knowledge to dig deeper, but in that case, they probably know who to turn to, even if Access Now, Amnesty, and Citizen Lab can’t help people outside of civil society.
Otherwise, there aren’t many places to turn to business owners and politicians, but we asked around and found the following. Although we cannot fully vouch for these organizations or directly support them, it is worth pointing them out based on suggestions from people we trust.
Perhaps the best known of these private security companies is iVerify. The company has created an app for Android and iOS that also gives users the option to request a detailed forensic investigation.
Matt Mitchell, a well-known security expert who has helped vulnerable people protect themselves from surveillance, has launched a new startup offering this type of service called Safety Sync Group.
Jessica Hyde is a forensic investigator with experience in both the public and private sectors who runs her own startup called Hexordia and offers to investigate suspected hacking cases.
Mobile cybersecurity company Lookout has experience analyzing government spyware around the world and has an online form where you can request help investigating cyberattacks involving malware, device compromise, and more. The company’s threat intelligence and forensics teams may then become involved.
Next is Costin Raiu, who leads TLPBLACK. TLPBLACK is a small team of security researchers formerly working at Kaspersky Lab’s Global Research and Analysis Group (GReAT). Raiu was in charge of the unit when his team discovered sophisticated cyberattacks by elite government hacking teams from the United States, Russia, Iran and other countries. Raiu told TechCrunch that anyone who suspects they have been hacked can email him directly.
investigation
What happens next depends on who you go to for help.
Typically, the contacting organization may wish to perform an initial forensic check by referring to the diagnostic report file that can be created on the device. Diagnostic report files can be shared with remote investigators. There is no need to give your device to anyone at this time.
This first step could potentially detect targeting and even signs of infection. Sometimes nothing happens. In either case, investigators will need to investigate further and may need to have a complete backup of the device or send you the actual device. At that point, investigators begin their work, which can take some time as modern government spyware attempts to hide and remove their traces, telling us what happened.
Unfortunately, modern spyware may leave no trace. Hassan Selmi, who leads the incident response team at Access Now’s Digital Security Helpline, said the latest tactic is a “smash-and-grab” strategy, meaning that once spyware has infected a target device, it attempts to steal as much data as possible, remove all traces and uninstall itself. This is likely an attempt by spyware manufacturers to protect their products and hide their activities from investigators and researchers.
If you are a journalist, dissident, academic or human rights activist, the organizations supporting you may ask you if you wish to publicize the fact that you have been attacked, but you are not required to do so. They will be happy to help you without public recognition. However, you may have a good reason for coming out. To denounce the fact that the government has targeted you. This may have the side effect of alerting others like you to the dangers of spyware. Or they can expose spyware companies by showing their customers misusing their technology.
I hope you don’t receive any notifications like this. But if you are, I hope you find this guide useful. Please stay safe.
