TL;DR: If Apple or Google sent you a notification that you've been targeted by "mercenary spyware," take it seriously. Enable Lockdown Mode immediately (iPhone/Mac). Contact Access Now's Digital Security Helpline if you're a journalist or activist — Apple literally tells victims to call them. Consider your device compromised until proven otherwise. Don't panic, but don't ignore it. This guide walks you through exactly what to do.
What That Notification Actually Means
Apple's notification reads something like this:
"Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple Account... This attack is likely targeting you specifically because of who you are or what you do."
That last part matters: "because of who you are or what you do."
This isn't random malware. This is state-level or state-sponsored surveillance software — tools like NSO Group's Pegasus, Paragon's Graphite, or Intellexa's products. These cost millions of dollars to deploy. Governments pay for them. They target journalists, activists, human rights defenders, lawyers, and dissidents.
Since 2021, Apple has sent threat notifications to users in over 150 countries [1]. Google and WhatsApp also send similar warnings.
If you got one, someone with serious resources decided you were worth targeting.
Immediate Steps (Do These Now)
1. Enable Lockdown Mode (iPhone/iPad/Mac)
This is the single most important thing you can do right now.
On iPhone/iPad:
- Go to Settings → Privacy & Security
- Scroll to Lockdown Mode
- Tap Turn On Lockdown Mode
- Your device will restart
On Mac:
- Go to System Settings → Privacy & Security
- Scroll to Lockdown Mode
- Click Turn On
- Restart your Mac
Why it matters: Apple claims there has never been a successful attack against a device with Lockdown Mode enabled [2]. Researchers at Citizen Lab documented it blocking an NSO Group exploit in the wild. It works.
2. Update Everything Immediately
- Update your phone's operating system to the latest version
- Update all apps
- Enable automatic updates
Spyware exploits vulnerabilities. Updates patch them. Every day you delay is a day those exploits remain usable.
3. Restart Your Phone
This sounds too simple, but it works. Many spyware infections don't survive a reboot — they're designed to grab data quickly and then disappear. Restarting your phone can clear active infections, though it won't remove persistent ones.
Make restarting a daily habit if you're at risk.
Who to Contact for Help
For Journalists, Activists, and Human Rights Defenders
Access Now Digital Security Helpline
- Website: accessnow.org/help
- Email: [email protected]
- 24/7 service for civil society
- Apple literally tells spyware victims to contact them [3]
Access Now is a nonprofit that investigates about 1,000 suspected government spyware cases per year. About 25 per year are confirmed infections [4]. They're the front line.
Other Organizations That Can Help:
- Citizen Lab (University of Toronto) — Research group that's exposed Pegasus and other spyware globally
- Amnesty International Security Lab — Investigates spyware targeting activists
- Reporters Without Borders — For journalists specifically
- Committee to Protect Journalists — Journalist-focused support
For Everyone Else
If you're not a journalist or activist but still received a notification, you may need to hire private security firms:
- iVerify — Mobile threat detection
- Lookout — Mobile security
- Trail of Bits — Security research firm
These aren't free. Government-level threats require professional-level response.
What Lockdown Mode Actually Does
Lockdown Mode isn't just a setting — it fundamentally changes how your device works to close attack vectors:
| What Changes | Why It Matters |
|---|---|
| Most message attachments blocked (except images) | Pegasus has used message attachments as attack vectors |
| Link previews disabled in Messages | Previews can trigger exploits before you click |
| Complex web technologies disabled | JavaScript JIT compilation has been exploited repeatedly |
| FaceTime from unknown callers blocked | Prevents zero-click attacks via incoming calls |
| Wired connections to computers blocked when locked | Prevents physical extraction attacks |
| Configuration profiles can't be installed | Blocks one method of installing malicious software |
Trade-offs: Some websites won't work properly. Some attachments won't come through. Some features are disabled. For most people, this is too restrictive for daily use. For people being targeted by governments, it's worth it.
Android Users: Advanced Protection
Android doesn't have Lockdown Mode, but Google offers the Advanced Protection Program:
- Go to Google Advanced Protection
- Enroll your Google Account
- You'll need a physical security key (like a YubiKey) or passkey
What Advanced Protection does:
- Only allows apps from Google Play Store
- Requires physical key or passkey for login
- Provides enhanced scanning of downloads
- Limits which apps can access your Google data
It's not as comprehensive as Apple's Lockdown Mode, but it's the strongest protection available on Android.
If Your Device Is Already Compromised
Modern mercenary spyware uses a "smash and grab" approach: infect, extract everything, then delete itself [5]. By the time you get a notification, the attacker may already have:
- All your messages (including encrypted ones displayed on screen)
- Contacts and call logs
- Emails
- Photos
- Location history
- Microphone and camera recordings
- Passwords saved on device
If you believe you're actively compromised:
- Stop using the device for sensitive communications immediately
- Get a new device — ideally a different brand/ecosystem
- Don't restore from backup (the backup may contain the infection)
- Change passwords for all accounts from a clean device
- Enable two-factor authentication everywhere with a hardware key
- Contact Access Now or another organization for forensic analysis
The hard truth: Modern spyware may leave no traces. Forensic analysis might not find anything even if you were infected. Absence of evidence isn't evidence of absence.
Ongoing Protection Practices
If you're the kind of person governments target, you need ongoing security practices:
Daily Habits
- Restart your phone daily
- Keep Lockdown Mode or Advanced Protection enabled
- Update software immediately when updates appear
- Be suspicious of links — even from known contacts whose devices may be compromised
Communication Security
- Use Signal for sensitive conversations
- Enable disappearing messages
- Remember: if spyware is on your device, it can read messages as you read them — encryption doesn't help once the endpoint is compromised
- For the most sensitive conversations, use a dedicated "burner" device
Account Security
- Use a hardware security key (YubiKey, Titan Key) for important accounts
- Don't rely on SMS for two-factor authentication
- Use a password manager
- Enable login notifications on all accounts
Physical Security
- Don't leave your phone unattended
- Be cautious at border crossings — some countries install spyware during device inspections
- Consider a Faraday bag for meetings where you need to ensure your phone isn't listening
Who Gets Targeted?
Mercenary spyware doesn't target random people. Typical targets include:
- Journalists investigating sensitive topics
- Human rights activists
- Opposition politicians and their staff
- Lawyers representing sensitive clients
- NGO workers
- Dissidents and critics of authoritarian governments
- Business executives with access to valuable information
- Family members of targets
Important: If you're targeted, the people you communicate with may also become targets. Warn your contacts. Your compromise can become their compromise.
What Protection Can't Do
Be realistic about limitations:
- Lockdown Mode doesn't clean existing infections — It prevents new ones
- No protection is perfect — New exploits are constantly developed
- Forensics may find nothing — Modern spyware deletes itself
- You can be re-targeted — One notification doesn't mean it won't happen again
Security is a practice, not a product. There's no app that makes you safe from state-level attackers. There are only habits that make you harder to attack.
If You're Not a Target
Most people reading this aren't actually targeted by government spyware. If you haven't received a notification and don't do work that would attract state-level attention:
- You probably don't need Lockdown Mode daily (the trade-offs aren't worth it)
- Standard security practices protect you from everyday threats
- Update your devices, use a password manager, enable two-factor authentication
- That's enough for 99.9% of people
This guide is for the 0.1% who need it. If that's you, take it seriously.
Resources
Emergency Contacts:
Enable Protection:
Further Reading:
References
- Apple Support — About Apple threat notifications and protecting against mercenary spyware
- TechCrunch — Apple's high security mode blocked NSO spyware, researchers say (April 2023)
- TechCrunch — Apple sends spyware victims to this nonprofit security lab (December 2024)
- TechCrunch — Meet the team that investigates government spyware targeting (December 2025)
- TechCrunch — You've been targeted by government spyware. Now what? (December 2025)