You’ve Been Targeted by Government Spyware. Now What?

It was an ordinary day when Jay Gibson received an unexpected notification on his iPhone. "Apple detected a targeted mercenary spyware attack against your iPhone," the message read.

Ironically, Gibson used to work at companies that developed precisely the kind of spyware that could trigger such a notification. Still, he was shocked to receive the warning on his own phone. Panicked, Gibson immediately called his father, turned off his phone, put it away, and went to buy a new one.

"I was panicking," he told TechCrunch. "It was a mess. It was a huge mess."

Gibson is just one of an increasing number of individuals receiving notifications from tech companies like Apple, Google, and WhatsApp, which are proactively alerting users when they are targeted by government hackers, specifically those using spyware made by companies like Intellexa, NSO Group, and Paragon Solutions.

However, while Apple, Google, and WhatsApp alert users about these threats, they don't step in to address what happens next. Instead, tech companies direct users to experts who can help, but then they step away.

What Happens When You Receive a Spyware Notification?

First and foremost, take the notification seriously. These tech giants possess a wealth of telemetry data about their users and what occurs on both their devices and their online accounts. They have security teams that have been investigating, studying, and analysing these types of attacks for years. If they believe you have been targeted, they are likely correct.

It's important to note that receiving a notification from Apple or WhatsApp doesn't mean you were necessarily hacked. The attack may have been blocked or failed, but these companies are letting you know that someone tried.

In Google's case, the company likely blocked the attack. Google will notify you to log in to your account, ensure that multi-factor authentication is enabled (ideally with a physical security key or passkey), and activate its Advanced Protection Program, which requires a security key and adds additional layers of security.

For those using Apple devices, enabling Lockdown Mode is highly recommended. This feature turns on a series of security measures that make it harder for hackers to target your Apple devices. Apple claims it has never seen a successful hack against a user with Lockdown Mode enabled, though no system is perfect.

Advice from Experts

Mohammed Al-Maskati, director of Access Now's Digital Security Helpline, shared advice for those concerned about government spyware attacks. The helpline is a 24/7 team of security experts who investigate spyware cases, particularly for members of civil society.

Here's some of their advice:

• Keep your device operating systems and apps up to date.
• Switch on Apple's Lockdown Mode and Google's Advanced Protection for accounts and Android devices.
• Be cautious with suspicious links and attachments.
• Restart your phone regularly.
• Be mindful of any unusual behaviour or changes in how your device operates.

Reaching Out for Help

What happens next depends on who you are. There are open-source tools available that anyone can use to detect suspected spyware attacks, but they require some technical knowledge. One tool, the  Mobile Verification Toolkit (MVT), allows you to look for forensic traces of an attack. This could be your first step before seeking external help.

If you aren't familiar with MVT or don't want to use it, you can reach out to organisations that specialise in spyware investigations. These groups can offer more in-depth assistance, especially for those in high-risk categories, such as journalists, dissidents, human rights activists, and academics.

Organisations such as Access Now, Amnesty International, and The Citizen Lab at the University of Toronto have dedicated teams to investigate spyware abuses. Reporters Without Borders also has a digital security lab that assists journalists and others who suspect they've been targeted.

What Happens During the Investigation

When you reach out for help, the organisation you contact will likely begin with an initial forensic check. This may involve viewing a diagnostic report file on your device, which you can share remotely. This process does not require handing over your device, and may help identify signs of targeting or infection. In some cases, however, nothing may be found.

If further investigation is needed, the next step may involve sending in a complete backup of your device or even the device itself. The investigators will then work to determine what happened. However, this process can take time since modern government spyware attempts to hide its tracks by deleting data and uninstalling itself.

Spyware makers often use a "smash and grab" strategy, meaning that once they infect a device, they steal as much data as possible and then try to remove any trace of their presence.

Publicising the Attack

For journalists, dissidents, academics, and human rights activists, the groups helping you might ask if you want to publicise the attack. Publicising the incident can help expose the misuse of government spyware and warn others in similar situations. However, publicising the attack is entirely up to you.

Conclusion

We hope you never receive a notification that you've been targeted by government spyware. But if you do, it's essential to know how to proceed. This guide provides the steps you can take to protect yourself and get the help you need.

Stay vigilant and safe out there.