Apple alerts users in 92 nations to mercenary spyware attacks

Authenticity and Delivery of Apple Alerts

  • Many say they would initially assume such a spyware-warning message is phishing.
  • Key verification method discussed: log in directly to appleid.apple.com or iCloud via a known URL and look for a prominent banner.
  • Several note that credible alerts should avoid embedded links and urgent “click now” CTAs; pure informational messages are seen as less suspicious.
  • Some are surprised the alerts come via email/iMessage rather than an OS-level special UI.

iMessage, Backups, and “End-to-End Encryption”

  • Criticism that iMessage’s E2EE is effectively weakened by default iCloud backups, which store message plaintext Apple can access.
  • Advanced Data Protection (ADP) is cited as an optional fix, but others argue conversations are still exposed if recipients lack ADP.
  • Signal is contrasted as not backing up chats in a way cloud providers can read.
  • Debate over whether Apple’s marketing around “can’t decrypt” is misleading given backup behavior.

Attack Vectors, Lockdown Mode, and Extreme OPSEC

  • iMessage is repeatedly mentioned as a major exploit vector with high privileges and a history of CVEs.
  • For high‑risk users, advice includes: enable Lockdown Mode, disable iMessage/iCloud/Keychain, use hardware keys, minimize apps, use burner devices, and assume some compromise is inevitable.

Who Gets Targeted and Why

  • A “random college student” receiving alerts sparks discussion:
    • Possibilities raised: family or social ties to real targets, industrial espionage, political activism, diaspora students, misidentification, or testing exploits on low‑stakes victims.
    • Emphasis that people in research labs, infrastructure, or opposition politics can be attractive targets, not just “spies.”

“Mercenary Spyware” vs “State-Sponsored”

  • Apple’s shift from “state-sponsored attacker” to “mercenary spyware” is noted.
  • Some see this as political softening under pressure from governments; others say “mercenary” accurately covers for‑profit hacking vendors hired by states.
  • There is debate over the legality of NSO‑style tools, touching on sanctions, DMCA/CFAA, export controls, and the gap in global regulation.

Apple vs. Android Security and Notification Practices

  • Some view Apple’s notifications as a positive differentiator; others reply that Google has issued similar “government-backed attacker” warnings for years.
  • Security comparisons are contentious:
    • Claims that recent Android (especially Pixel) is more secure, with bounty prices and hardware diversity cited.
    • Counterclaims that bounties are a weak signal, OEM bloatware adds risk, and iMessage’s ubiquity makes it a particularly attractive target.