Apple has issued an urgent warning to virtually every iPhone owner globally, alerting them to sophisticated threats ranging from zero-click exploits that require no user interaction to social engineering scams designed to extract passcodes and banking credentials. The stakes are severe: attackers can drain bank accounts, steal identities, and convert devices into covert surveillance instruments.
The Silent Threat of Zero-Click Attacks
Zero-click exploits represent a particularly insidious danger because they operate without any warning or user action. Researchers at Citizen Lab documented how Paragon’s Graphite mercenary spyware exploited a zero-click vulnerability in Apple’s iMessage platform to silently infect journalists’ iPhones. Victims received an ordinary message with no alarming indicators, yet the spyware installed automatically. No link required clicking. No attachment needed opening. The infection occurred entirely through Apple’s own messaging infrastructure, leaving targets completely unaware of compromise.
Expanding Threat Landscape
What began as targeted attacks against high-profile individuals has evolved into broader criminal campaigns. Apple has identified four distinct spyware operations targeting its devices. Italian journalist Ciro Pellegrino and a prominent European journalist both fell victim to Graphite spyware in early 2025 through the same attacker infrastructure. Other targets included journalist Francesco Cancellato and activists Luca Casarini and Dr. Giuseppe Caccia. Mercenary surveillance tools are being weaponized faster than Apple can develop patches to address them.
Critical Security Updates Released
Apple has deployed emergency security updates addressing multiple vulnerabilities. CVE-2025-24201, a WebKit flaw allowing arbitrary code execution, existed in iOS versions before 17.2, prompting supplementary fixes across iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, watchOS 2.3.2, and Safari 18.3.1. Additional patches addressed CVE-2025-31200 and CVE-2025-31201, which Apple characterized as “extremely sophisticated attacks” targeting specific individuals. The window between vulnerability discovery and mass exploitation is measured in hours rather than weeks, making immediate action essential.
Throughout 2025, Apple has disclosed multiple actively exploited zero-day vulnerabilities, with cybersecurity agencies cataloging several Apple flaws among known exploited vulnerabilities. In single security cycles, Apple patches dozens of vulnerabilities across its ecosystem. Security strategists emphasize that users should not delay updating their iPhones, as significant updates contain extensive security fixes.
Social Engineering and Account Takeover Schemes
Beyond technical exploits, attackers employ sophisticated social engineering tactics. The latest wave involves unsolicited calls claiming to originate from Apple Support. Attackers trigger genuine Apple two-factor authentication codes, then immediately contact victims warning of account breaches. Because the codes genuinely come from Apple’s systems, victims perceive the threat as legitimate. Callers direct victims to fraudulent Apple portals and trick them into entering their two-factor authentication codes. Once scammers obtain access, they change passwords, lock out legitimate owners, and gain control of payment methods and personal information.
What Compromised Devices Reveal
Once attackers control an iPhone, the possibilities for espionage become virtually unlimited. Device microphones and cameras can be activated remotely without any visual indicator. Location services transform into tracking beacons. Text messages, emails, financial applications, and password managers become accessible. Banking information, identity documents, and investment portfolios lie exposed. For journalists and executives, the risks are existential. For everyday users, threats remain equally real but often invisible until accounts are drained or identities are stolen.
Compromised devices expose everything stored on them. Banking applications reveal account numbers and balances. Password managers unlock every online account. Photos contain driver’s licenses, passports, and Social Security cards. Email archives expose tax documents and medical records. Apple Pay stores credit cards and transaction histories. iCloud Keychain holds Wi-Fi passwords and work credentials. The average victim faces hundreds or thousands of dollars in direct fraud, while identity theft resolution can consume years.
Protective Measures Available
Apple has integrated an App Privacy Report into iOS that allows users to monitor how often applications access sensitive data including location, microphone, and camera. Users running iOS 15.2 or later can activate App Privacy Report through Settings > Privacy & Security > App Privacy Report to review access logs from the previous seven days. The report displays which applications accessed location, photos, camera, microphone, and contacts. Unexpected microphone or camera access may indicate compromised applications warranting permission reconsideration.
Users and security researchers discovering vulnerabilities can report them directly to Apple through responsible disclosure channels. Apple maintains a web portal for security research submissions and accepts reports containing clear descriptions, working exploits or proof-of-concept demonstrations, specific product and software versions, and reproduction steps. Researchers must be the first party submitting complete and actionable reports, and issues must remain undisclosed publicly before Apple releases patches.
The Urgency of Immediate Action
The window for safety is narrowing. Every day a device remains unpatched represents another opportunity for attackers to exploit existing vulnerabilities. Users should navigate to Settings > General > Software Update and install the latest iOS version immediately. Zero-click exploits announce themselves to no one. The 1.8 billion iPhone owners Apple is warning represent virtually every person globally carrying the device. The company has sounded the alarm. The critical question now is whether users will respond before it becomes too late.
Sources
Citizen Lab: Graphite mercenary spyware iOS forensic report (Paragon)
Citizen Lab: Paragon spyware operations and targeting analysis
Oligo Security: AirBorne zero-click RCE in Apple AirPlay technical write-up
Apple & national CERT advisories on AirPlay / AirBorne CVEs (e.g., CSA advisory AL-2025-042)
Reuters: Apple and Google cyber threat / mercenary spyware notifications to users worldwide