Trusted Internet Guidance: Apple’s threat notification on “mercenary spyware”

On April 10th Apple issued a threat notification for what they’re calling “Mercenary Spyware”. They go on to describe mercenary spyware attacks as “vastly more complex than regular cybercriminal activity and consumer malware”, as mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices. Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent, then comparing it to third party companies like those who produced NSO Pegasus.

 This wording is often used by cyber threat analysts to describe Advanced Persistent Threats, government sponsored cyber-attacks and

According to the alert, “Mercenary spyware attacks are exceptionally well funded and evolve over time. Apple relies solely on internal threat intelligence information and investigations to detect such attacks.”

Bottom line. When Apple uses this language, it’s serious.

At a minimum, Trusted Internet recommends the following best practices:

• Update devices to the latest software, as that includes the latest security fixes.

• Protect devices with a passcode.

• Use two-factor authentication and a strong password for Apple ID

• Install apps from the App Store

• Use strong and unique passwords online.

• Don’t click on links or attachments from unknown senders.

• And we always recommend using a commercial grade AI-Driven mobile antivirus. At Trusted Internet, we recommend Sophos Intercept X for Mobile. You can download this from the Apple Store or contact Trusted Internet for a no-cost 30-day trial license of the commercial grade, Security Operation Center-monitored version.

For those who feel they may be targeted or at risk, a more protective option is available. Apple calls it Apple iOS Lockdown Mode. Beware, however, that when Lockdown Mode is enabled, some apps and features will function differently.

• Messages - Most message attachment types are blocked, other than certain images, video, and audio. Some features, such as links and link previews, are unavailable.

• Web browsing - Certain complex web technologies are blocked, which might cause some websites to load more slowly or not operate correctly. In addition, web fonts might not be displayed, and images might be replaced with a missing image icon.

• FaceTime - Incoming FaceTime calls are blocked unless you have previously called that person or contact. Features such as SharePlay and Live Photos are unavailable.

• Apple services - Incoming invitations for Apple services, such as invitations to manage a home in the Home app, are blocked unless you have previously invited that person. Game Center is also disabled.

• Photos - When you share photos, location information is excluded. Shared albums are removed from the Photos app, and new Shared Album invitations are blocked. You can still view these shared albums on other devices that don’t have Lockdown Mode enabled.

• Device connections - The device must be unlocked to connect your iPhone or iPad to an accessory or another computer. To connect your Mac laptop with Apple silicon to an accessory, your Mac needs to be unlocked and provide explicit approval.

• Wireless connectivity - Your device won't automatically join non-secure Wi-Fi networks and will disconnect from a non-secure Wi-Fi network when you turn on Lockdown Mode. 2G cellular support is turned off.

• Configuration profiles - Configuration profiles can’t be installed, and the device can’t be enrolled in Mobile Device Management or device supervision while in Lockdown Mode.

Phone calls and plain text messages continue to work while Lockdown Mode is enabled. Emergency features, such as SOS emergency calls, are not affected. 

For assistance in hardening your iPhone, contact Trusted Internet’s Executive Cyber Support Center at help@trustedinternet.io, your Virtual CISO™, or 800-853-6431.