Apple reportedly is alerting iPhone users in 92 countries that they may have been the targets of attacks using “mercenary spyware,” a term that the company is now using in such alerts in place of “state-sponsored” malware.

Apple’s messages to affected users said they were being “targeted by a mercenary spyware attacks that is trying to remotely compromise the iPhone,” according to reports from news outlets that have seen the alerts.

The company added that “attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning – please take it seriously.”

In addition to giving affected users a warning, Apple’s alerts and the changes in the wording of its alert notification page put another spotlight on the problem of commercial surveillance software – spyware – and its use by governments that leverage it to surveil and track such groups as journalists, dissidents, political opponents, and rights organizations.

The Threat of Spyware

The Biden Administration has taken a number of steps to curtail the use of spyware, such as putting visa restrictions on foreign individuals who have been involved in the misuse of  the technology, and in 2021 blacklisted NSO Group, the developer of the Pegasus spyware and the vendor in the space with the highest profile.

NSO Group and other vendors, such as Cy4Gate, RCS Lab, and Intellexa, have argued that their software is designed for governments, law enforcement agencies, and similar organizations to fight organized crime and terrorism. But groups like CitizenLab have multiple instances where governments were using the spyware to track particular groups of people.

Google has been a vocal critic of spyware. In a report, the IT giant wrote that NSO Group and similar companies “emerged to fill a lucrative market niche: selling cutting edge technology to governments around the world that exploit vulnerabilities in consumer devices and applications to surreptitiously install spyware on individuals’ devices. By doing so, commercial surveillance vendors (CSVs) are enabling the proliferation of dangerous hacking tools. The harm is not hypothetical.”

In a more recent report last month, Google wrote that spyware vendors are playing an increasingly large role in the growing number of zero-day vulnerabilities that are exploited every year. In 2023, spyware accounted for about half of such exploits linked to governments.

“It’s really important to recognize that mercenary spyware, unlike others, is deliberately designed with advanced capabilities, including zero-day exploits, complex obfuscation techniques, and self-destruct mechanisms, making it highly effective and hard to detect,” said Krishna Vishnubhotla, vice president product strategy at Zimperium. “Operating in stealth is key to its success.”

Apple’s Battles

The latest alerts by Apple are not the first run-in iPhone users have had with spyware. Apple sent similar alerts in October 2023 warning some Indian lawmakers who were members of an opposition party to Prime Minister Narendra Modi that their devices were being attacked by such software. In late December, Amnesty International reported that it found the Pegasus spyware on the iPhones of journalists in India.

Apple sued NSO Group in 2021 for its targeting of Apple device users, with the case continuing to make its way through the courts.

According to Apple, it was sent threat notifications multiple times a year since 2021 after detecting such attacks, notifying users in more than 150 countries. The company’s threat alert page initially referred to “state-sponsored attacks.” However, in an update this week, it now talks about mercenary spyware attacks.

“Such attacks are vastly more complex than regular cybercriminal activity and consumer malware, as mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices,” the company says on the page. “Mercenary spyware attacks cost millions of dollars and often have a short shelf life, making them much harder to detect and prevent. The vast majority of users will never be targeted by such attacks.”

However, Apple also writes that “individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies developing mercenary spyware on their behalf, such as Pegasus from the NSO Group.”

It added that although they’re deployed against small numbers of people, “mercenary spyware attacks are ongoing and global.”

John Bambenek, president of Bambenek Consulting, said by changing the wording in its alert page, Apple is highlighting the scale and scope of the problem.

“These types of attacks have victims in every country in the world,” Bambenek said, noting Apple calling NSO Group by name. “Other groups are in this business too, but clearly Apple has NSO specifically in mind.”

If the vendor suspects a spyware attack us underway, it alerts users through a threat notification at the top of the page after the user signs into their Apple account as well as an email and iMessage sent to the email addresses and phone numbers associated with the user’s Apple ID.

Included in the alerts are steps to take to protect their iPhones, including putting them into Lockdown Mode.