As more of our lives increasingly happen on our phones from housing our passports to accessing the most sensitive company data, our mobile devices are rich targets for exploitation. One only needs to look at the rise of commercial spyware and the millions of dollars being poured into their development by governments and VC firms to understand that a fundamental shift has taken place in the security landscape and phones are at the center. Apple, known for its focus on user privacy and security, has introduced a system of "Threat Notifications" to alert users who may be targeted by sophisticated spyware attacks such as Predator and Pegasus. Maybe you landed on this blog because you just got one or are just curious to know more, so let's dive into what these threat notifications are, their history, what they look like, and, most importantly, what you should do if you receive one.

A Brief History of Apple Threat Notifications

Apple's commitment to security has always been a core part of its identity. Over the years, as cyber threats have evolved, Apple has taken proactive steps for the mobile protection of its users including Lockdown Mode in 2022 and the introduction of Threat Notifications in 2021 as a response to the increasing prevalence of highly sophisticated, often state-sponsored, spyware attacks. While in its nascence, spyware mostly targeted civil society, journalists and other high-risk individuals, but increasingly we are seeing mobile as an entry point to move laterally into company networks. These attacks, unlike common malware, are incredibly complex and resource-intensive. 

What Are Apple Threat Notifications?

Apple Threat Notifications are alerts issued to users who Apple believes have been individually targeted by "mercenary spyware attacks." These are not your average phishing attempts or general malware. They are highly focused and sophisticated efforts to compromise specific devices, likely due to who the user is or what they do.

These notifications are designed to inform and assist compromised users, providing them with steps to enhance their device security. Apple utilizes internal threat-intelligence information and investigations to detect these attacks. While absolute certainty can be elusive, Apple states these notifications are high-confidence alerts that should be taken seriously. It’s important to note that just because you haven’t received a Threat Notification that your device hasn’t been compromised. Commercial spyware vendors are continuously iterating their malware to take advantage of the latest Zero Days and patches, and are specifically designed to be elusive. The same architecture that makes iPhones one of the most secure devices on the market also makes it more difficult to be able to detect spyware infections for both Apple and external security teams.

What Do Apple Threat Notifications Look Like?

Apple delivers Threat Notifications through two primary channels:

1. At the top of account.apple.com: After signing into your Apple ID account on account.apple.com, a clear and visible notification will appear if Apple has issued a threat alert for your account. This is the most reliable way to verify the authenticity of a notification.

2. Email and iMessage notifications: Apple sends emails and iMessages to the email addresses and phone numbers associated with your Apple Account. Email notifications come from threat-notifications@email.apple.com, and iMessage notifications come from threat-notifications@apple.com. It's crucial to be aware of these official sender addresses, as impersonation attempts are common in phishing scams.

Important Notes on Apple Threat Notifications:

• Apple will never ask you to click on links, open files, install apps or profiles, or provide your Apple ID password or verification code via email or phone. Any request for this information through these channels is a sign of a scam.

• The notifications do not provide specific details about what triggered the alert, as this information could be used by attackers to evade future detection.

What To Do if You Receive a Threat Notification

If you receive an Apple Threat Notification, it's essential to take it seriously and act swiftly to protect your device and data. We recommend:

1. Verify the notification's authenticity: The first step is to verify that the notification is genuinely from Apple. Sign in to your Apple ID account. If Apple sends you a threat notification, it will be clearly visible at the top of the page after you sign in. This is the most reliable method to ensure the notification's legitimacy.

2. Seek expert help: As Apple’s Threat Notification doesn’t provide any context of the attack, preserving the evidence is important in order to help researchers find the vulnerabilities being exploited and understand if any data was exfiltrated. iOS updates/reboots might remove any temporary spyware but they also remove evidence so seeking expert help first is critical. Our iOS experts at iVerify are well equipped to help businesses, governments and targeted civilians; however, the latter group can also receive services through several civil organizations including Access Now, Amnesty International and The Citizen Lab. If expert help is not available, you can download the iVerify Basic App and use our Threat Hunting feature to gather basic forensic evidence, however this is not as comprehensive as a full investigation.

3. Restart your device: most of these exploits exist in memory only -- they're not files, and rebooting your phone should, in theory, wipe the malware.

4. Update your device software: Ensure your Apple devices are running the latest version of their respective operating systems (iOS, macOS, etc.). Software updates often include critical security patches that can protect against vulnerabilities.

5. Enable Lockdown Mode: Apple provides a feature called "Lockdown Mode" which offers extreme, optional protection for users who believe they may be individually targeted by highly sophisticated cyberattacks. Enabling Lockdown Mode significantly reduces your device's attack surface, making it more resistant to these types of threats. You can find instructions on how to enable Lockdown Mode on Apple's support website.

6. Back up your device: Create a backup of your device before making any significant changes or seeking forensic assistance. This ensures you have a copy of your data in case something goes wrong.

Deploy an EDR

Detecting spyware infection is only getting more difficult as vendors create stealthier versions of their software and our own research shows a dangerous trend of “Going Dark” whereby infection can only be detected with continuous monitoring. This likely means even fewer people will be alerted by Threat Notification. Even adherence to the strictest security practices doesn’t protect against zero-click attacks so constant monitoring is the best defence we currently have against exploitation. It can’t prevent a successful attack but it can significantly reduce the time the threat actor has in a system before it’s detected.

If you think your device may have been compromised or you’re concerned about zero-click attacks, drop us a line detection@iverify.io.