Apple’s vast iPhone user base is facing an escalating wave of stealthy surveillance attacks that require no taps, clicks, or obvious mistakes from victims. Sophisticated “zero-click” exploits, delivered largely through the Messages app, can silently infect devices and place them under complete attacker control—transforming everyday smartphones into remote surveillance and spying tools in seconds. In response, Apple is racing to harden iOS, roll out rapid security fixes, and automatically push critical patches in the background, as questions mount over whether any mobile platform can reliably protect billions of users from mercenary-grade spyware designed to commandeer their devices.
The Threat: Devices Transformed Into Remote Surveillance Weapons
When zero-click spyware successfully infiltrates an iPhone, the attacker gains comprehensive remote access and control over the compromised device. According to leaked documents and forensic analysis, these tools provide attackers with what security researchers call “full remote piloting capabilities”—meaning the attacker can turn an infected phone into a surveillance tool that operates entirely under their command, not the device owner’s.
Once installed, spyware like Pegasus, Predator, and Graphite can extract all data stored on the phone, including contacts, text messages, emails, photos, voice memos, calendar entries, call history, and browsing history. More invasively, attackers can remotely activate the phone’s camera to capture images of the user or their surroundings, and activate the microphone to eavesdrop and record voice and VoIP calls in real time or monitor conversations occurring near the phone. The spyware can also collect GPS data to track the user’s precise location and movements in real time.
Victims of these attacks describe having their devices effectively “locked” under attacker control—no longer truly their own, but rather remote surveillance nodes in an attacker’s network. As security researchers note, even end-to-end encrypted messaging services cannot protect messages if an intelligence officer is watching the target’s screen as they type. The device becomes a window into every aspect of the victim’s life: their communications, movements, activities, and private moments.
Global Campaign Against iPhone Users
Apple now counts more than 2.35 billion active devices and around 1.5 billion iPhones in circulation, making its ecosystem a prime target for commercial surveillance vendors. Recent attacks blend advanced technical exploits with social-engineering tactics designed to hijack Apple IDs, compromise apps, and siphon off sensitive data such as messages, photos, and location information.
Security agencies and rights groups say the campaigns increasingly focus on high-value targets—journalists, activists, lawyers, and political figures—in multiple regions. Recent forensic investigations have confirmed that European journalists covering government activities were targeted with Graphite spyware via zero-click iMessage exploits in early 2025. Similarly, a Meta employee working on the company’s security team had her device compromised with Predator spyware. These attacks are not theoretical threats; they are active campaigns weaponizing zero-click vulnerabilities against specific high-risk individuals.
The company has responded with unusually urgent advisories, urging all iPhone owners to install the latest security updates without delay. Officials and regulators in countries with heavy iPhone use, including agencies like the FBI and CISA in the United States, have echoed those warnings, stressing that leaving devices unpatched dramatically increases the risk of compromise. Behind the appeals is a simple reality: with zero-click spyware, even careful users who avoid suspicious links can have their devices commandeered if their software is out of date.
Inside the Zero-Click Threat: How Attackers Seize Control
At the core of the current wave of attacks are multiple zero-click vulnerabilities that allow “arbitrary code execution” on a device with no action required from the owner. One such flaw, tracked as CVE-2025-43200, was identified in the Messages app and has been weaponized against journalists and activists. Another, CVE-2025-24201, similarly allowed attackers to run their own code on targeted iPhones. In many cases, a single malicious message—sometimes carrying a crafted image or attachment—is enough to trigger the exploit and install spyware invisibly.
Once the spyware gains a foothold through these zero-click vectors, the attacker’s command-and-control infrastructure takes over. Forensic analysis shows that infected devices begin making regular communications to attacker-controlled servers, sending compressed and encrypted data packages containing extracted messages, photos, call recordings, location histories, and real-time surveillance feeds from activated cameras and microphones.
These operations are tied to a growing commercial spyware industry led by vendors such as Paragon, Intellexa, and NSO Group, whose tools—known under names like Graphite, Predator, and Pegasus—were originally marketed to governments for counterterrorism and law-enforcement purposes. Investigations by research laboratories and human-rights organizations have since documented their use against civil society, political opponents, and other non-criminal targets. For the individuals affected, the impact is absolute: their devices are no longer under their control but instead serve as surveillance nodes for attackers, with full device compromise, exposure of sources and contacts, and extensive personal data theft, often discovered only after forensic analysis.
Pegasus includes a sophisticated self-destruct mechanism that can be remotely activated to cover the spyware’s tracks if exposure becomes likely—erasing evidence of the compromise from the victim’s device. This capability underscores the deliberate design of these tools to operate covertly and prevent victims from discovering they have been targeted.
Apple’s Emergency Response: Automatic Patches and Control Recovery
Apple has rushed out patches for the known zero-click vulnerabilities and has sent direct warning notifications to some high-risk users believed to be targeted by mercenary spyware. Yet security specialists caution that the underlying technique is unlikely to disappear. As long as messages and calls can arrive from the open internet, attackers will keep scrutinizing services like Messages and FaceTime for new flaws, and any newly discovered exploit can be weaponized quickly and sold to clients around the world.
Under mounting pressure, Apple is adjusting how it defends iPhones and helps users regain control of compromised devices. Recent iOS releases have introduced “Background Security Improvements,” a mechanism in iOS 26.1 that allows urgent patches to be pushed and installed automatically, reducing the window of exposure between discovery of a flaw and protection reaching users. The company has also expanded safeguards such as Lockdown Mode, increased phishing and fraud detection, and tightened protections around features like AirDrop and app review to reduce the number of pathways attackers can use to establish initial device control.
These technical changes reflect a broader shift in the threat landscape. As traditional desktop systems improve their defenses, attackers have increasingly pivoted to mobile platforms, which now store banking apps, authentication tools, private chats, and detailed location histories. That concentration of personal and professional data makes a single compromised smartphone more valuable than many laptops. Security researchers say the current mercenary campaigns are largely targeted, but warn that the same vulnerabilities could, in principle, be adapted for broader criminal use if they are not quickly found and fixed.
The Equity Problem: Older iPhones Left Vulnerable
The burden of these changes is not felt evenly. Many older iPhone models, including devices introduced in 2016-2017 such as the iPhone 7 Plus and iPhone 8, have been moved to Apple’s “vintage” list, where ongoing security updates are no longer guaranteed. Owners of these phones face rising pressure to upgrade if they want continued protection against emerging zero-click threats that could place their devices under attacker control, creating tension between long device lifespans and the need for up-to-date defenses.
At the same time, some users of newer models report glitches or performance concerns after rapid-fire emergency updates, underscoring the challenge of deploying frequent patches across a massive global install base while racing against well-funded adversaries who are constantly discovering new ways to seize control of devices.
The High-Stakes Race for Device Control
Apple’s leadership emphasizes its long-standing commitment to privacy and security, pointing to initiatives like the App Privacy Report, enhanced anti-tracking measures, and expanded cooperation with outside experts. The company has also joined Google in sending direct alerts to individuals believed to be under active attack by mercenary spyware operators. Nonetheless, independent researchers and advocacy groups argue that transparency, collaboration with external labs, and ecosystem-wide defenses will need to keep evolving if Apple is to stay ahead of well-funded adversaries.
For now, the contest between attackers and defenders remains finely balanced. Zero-click exploits have become some of the most coveted tools in the surveillance market precisely because they allow attackers to seize complete control of devices without any user interaction or awareness. Each disclosure of a zero-click vulnerability triggers rapid efforts by spyware vendors to find the next weakness to commandeer new devices. For billions of iPhone users, that means basic digital hygiene—installing updates promptly, enabling automatic security fixes, and treating unsolicited messages and calls with caution—has become a critical line of defense against having their devices placed under remote attacker control.
Whether any mobile platform can fully contain the threat from mercenary spyware remains uncertain, but the pressure on Apple and other manufacturers to reinforce their protections, especially for high-risk communities and owners of older devices, is only likely to grow as attackers continue to weaponize zero-click vulnerabilities to take control of user devices worldwide.
Sources:
Citizen Lab (University of Toronto) – “Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware” (June 2025)
The Hacker News – “Apple Zero-Click Flaw in Messages Exploited to Spy on…” (June 2025)
Amnesty International Security Lab – “To Catch a Predator: Leak Exposes the Internal Operations of Intellexa’s Mercenary Spyware” (December 2025)
Apple World Today – “Apple Sends New Round of Cyber Threat Notifications to Users in 84 Countries” (December 2025)
Macworld – “Apple Rebrands Rapid Security Responses in iOS 26.1 Beta with New Background Updates” (September 2025)