It was a normal day when Jay Gibson got an unexpected notification on his iPhone. “Apple detected a targeted mercenary spyware attack against your iPhone,” the message read.

Ironically, Gibson used to work at companies that developed exactly the kind of spyware that could trigger such a notification. Still, he was shocked that he received a notification on his own phone. He called his father, turned off and put his phone away, and went to buy a new one.

“I was panicking,” he told TechCrunch. “It was a mess. It was a huge mess.”

Gibson is just one of an ever-increasing number of people who are receiving notifications from companies like Apple, Google, and WhatsApp, all of which send similar warnings about spyware attacks to their users. Tech companies are increasingly proactive in alerting users when they become targets of government hackers, in particular those who use spyware made by companies such as Intellexa, NSO Group, and Paragon Solutions.

But while Apple, Google, and WhatsApp alert, they don’t get involved in what happens next. The tech companies direct their users to people who could help, at which point the companies step away.

WARNING: How Should You React?

You have received a notification that you were the target of government hackers. Now what? First of all, take it seriously. These companies have a lot of telemetry data about their users and what happens on both their devices and online accounts. For this reason, they have security teams that have been hunting, studying, and analyzing this type of malicious activity for years. If they think you have been targeted, they are probably right.

It’s important to note that, in the case of Apple and WhatsApp notifications, receiving one doesn’t mean you were necessarily hacked. Sometimes, the hacking attempt failed, but they will still let you know that someone tried.

In the case of Google, it’s likely that the company blocked the attack and is telling you so you can go into your account and make sure you have multi-factor authentication enabled (ideally using a physical security key or passkey). You should also turn on its Advanced Protection Program, which also requires a security key and adds other layers of security to your account. In other words, Google will tell you how to better protect yourself in the future.

In the Apple ecosystem, you should turn on Lockdown Mode, which activates a series of security features that make it more difficult for hackers to target your devices. Apple claims that it has never seen a successful hack against a user with Lockdown Mode enabled, although no system is perfect.

Mohammed Al-Maskati, director of Access Now’s Digital Security Helpline, a global team of security experts who investigate spyware cases against members of civil society, shared the advice that the helpline gives people who are concerned they may be targeted with government spyware. This advice includes keeping operating systems and apps up-to-date, activating Apple’s Lockdown Mode and Google’s Advanced Protection for your accounts and devices, being careful with suspicious links and attachments, restarting your phone regularly, and paying attention to changes in how your device functions.

If you receive a notification from Apple, Google, or WhatsApp about being targeted with spyware, or if you have information about spyware makers, you are encouraged to securely contact experts such as Lorenzo Franceschi-Bicchierai via Signal, Telegram, Keybase, or email.

Seeking Help and Next Steps

What happens next depends on who you are. Fortunately, there are open source and downloadable tools that anyone can use to detect suspected spyware attacks on their devices, though this requires some technical knowledge. You can use the Mobile Verification Toolkit (MVT), which helps you look for forensic traces of an attack on your own, possibly as a first step before looking for professional assistance.

If you do not want to use MVT or cannot, you can directly reach out to someone who can help. If you are a journalist, dissident, academic, or human rights activist, there are organizations that can help. You can turn to Access Now and its Digital Security Helpline, or contact Amnesty International, which has its own team of investigators and ample experience with these cases. The Citizen Lab, a digital rights group at the University of Toronto, has investigated spyware abuses for almost 15 years. Journalists can also seek help from Reporters Without Borders, which has a digital security lab.

For those outside these groups, such as politicians or business executives, the options differ. If you work for a large company or political party, you probably have a security team you can approach directly. Even if they lack the specific knowledge, they may know whom to contact, although Access Now, Amnesty, and Citizen Lab focus on civil society.

For others, several private security companies exist. iVerify is one of the most well-known, as it provides an app for Android and iOS and allows users to request forensic investigations. Matt Mitchell’s startup Safety Sync Group also offers protection services. Jessica Hyde’s company, Hexordia, investigates suspected hacks as well. Mobile cybersecurity company Lookout allows people to reach out for help with possible cyberattacks involving malware and device compromise. Costin Raiu’s TLPBLACK is another source of expertise, and he can be contacted directly.

Generally, the organization will do an initial forensic check, possibly through a diagnostic report you can create and share with the investigators remotely. This step does not require you to hand over your device. If signs of targeting or infection are found—or nothing is detected—the investigators may request a full device backup or even your actual device for deeper analysis. These investigations may take time, since modern government spyware is designed to hide and delete its traces.

Unfortunately, modern spyware may erase almost all evidence of its presence. According to Hassan Selmi from Access Now, the “smash and grab” strategy is common: spyware infects the device, steals as much data as possible, and then erases itself to evade investigators.

If you are a journalist, dissident, academic, or human rights activist, the groups helping you may ask if you want to publicize the attack, but you are not required to do so. They will help you without taking public credit. However, announcing an attack can expose abuse by governments or companies and warn others of the risks.

We hope you never receive one of these notifications, but if you do, use this guide to stay safe and make informed decisions.

Tags: spyware, sulme kibernetike, siguria dixhitale, Apple Lockdown Mode, mbrojtja e privatësisë, analiza e pajisjeve