Cybersecurity Government Spyware Alerts

Targeted by Government Spyware? What to Do After an Apple, Google, or WhatsApp Warning

Received an Apple, Google, or WhatsApp spyware alert? Here’s what it means, how to secure your devices, and where to get expert help.

A
·
Ad
A hand holding a smartphone displaying a digital security warning or spyware alert icon from Apple, Google, or WhatsApp.
Find out what to do if you receive a spyware warning from Apple, Google, or WhatsApp.
Table of contents

Getting a sudden alert that you’ve been targeted by government spyware can feel surreal—and terrifying. In seconds, you’re forced to make decisions about your phone, your accounts, and your safety, often with little guidance beyond the warning itself. If you’ve received one of these notifications, there are practical steps you can take immediately, and specialized organizations that may be able to help you understand what happened.

One person who experienced this firsthand is Jay Gibson. He was going about a normal day when an iPhone notification appeared: “Apple detected a targeted mercenary spyware attack against your iPhone,” it said. Gibson had previously worked for companies that built the very kind of spyware that can trigger such warnings, yet the message still caught him off guard. He called his father, powered down his phone, put it away, and bought a new one. “I was panicking,” he said. “It was a mess. It was a huge mess.”

Gibson’s experience reflects a growing reality: more people are being warned by major platforms that they may be in the crosshairs of sophisticated “mercenary spyware” operations—often associated with government hacking and spyware vendors such as Intellexa, NSO Group, and Paragon Solutions.

Apple, Google, and WhatsApp have all developed ways to notify users when their security teams believe those users are being targeted. But while the alerts can be life-saving, they usually come with a frustrating gap: the platform warns you, offers some basic protective steps, and then largely steps back. From there, it’s on you to decide what to do next.

A photo showing the text of a threat notification sent by Apple to a suspected spyware victim. Image Credits: Omar Marques / Getty Images

Step 1: Treat the notification as real

The most important first move is also the simplest: take the warning seriously. Big tech companies have extensive telemetry across devices, apps, and accounts, and they employ security teams that have spent years tracking and analyzing this kind of activity. If Apple, Google, or WhatsApp says you were targeted, that assessment is unlikely to be casual.

It’s also crucial to understand what the warning does—and doesn’t—mean:

  • An alert doesn’t always mean you were successfully hacked. In particular, Apple and WhatsApp notifications can be triggered even if an attack attempt fails. The platform may still be confident you were targeted.
  • Some alerts may indicate the platform blocked the attack. In Google’s case, the notification often arrives alongside steps you can take to harden your account, suggesting that Google may have interrupted the attempt and is now urging you to reduce future risk.

In other words, don’t assume the worst—but don’t dismiss it, either. You should act as if your device or accounts might be at risk until you can confirm otherwise.

Step 2: Lock down your accounts and devices immediately

After the shock, your next priority is basic containment and hardening: reduce the chance of follow-on attacks and limit exposure if something did get in.

For Google accounts: strengthen authentication and protections

If you received a Google warning, the company generally points users toward stronger account security settings. That includes enabling multi-factor authentication—ideally using a physical security key or passkey—and turning on Google’s Advanced Protection Program, which requires a security key and adds additional safeguards designed for high-risk users.

(One product category often recommended for high-risk multi-factor authentication is a physical security key; a well-known overview is this guide, which explains what they are and how they work.)

For Apple devices: enable Lockdown Mode

Within Apple’s ecosystem, one of the strongest defensive steps is switching on Lockdown Mode. This setting activates a set of restrictions and security measures intended to make it substantially harder for advanced attackers to exploit your iPhone and other Apple devices.

Apple has said it has not observed a successful hack of a user with Lockdown Mode enabled, while also acknowledging that no system can be perfect. Still, for people who have received a spyware alert—or who believe they may be at elevated risk—Lockdown Mode is designed specifically for this scenario.

Broader safety guidance from incident responders

Mohammed Al-Maskati, director of Access Now’s Digital Security Helpline, has described a set of baseline practices the helpline shares with people worried about government spyware targeting. The recommendations include:

  • Keep your operating system and apps fully updated (patches often close the vulnerabilities spyware relies on).
  • Turn on Apple’s Lockdown Mode and enable Google’s Advanced Protection for accounts and for Android devices.
  • Be cautious with suspicious links and attachments, which can still play a role in certain compromise chains.
  • Restart your phone regularly, which may help disrupt certain types of malicious activity.
  • Watch for unusual device behavior, such as sudden glitches or unexpected performance changes.

These steps won’t guarantee safety against well-resourced attackers, but they can reduce risk and help prevent opportunistic re-targeting.

Step 3: Decide whether to investigate on your own or get expert support

What you do next depends heavily on your role, your risk profile, and your access to trusted technical help.

Option A: Use an open source tool to look for forensic traces

If you have some technical confidence—or you have a trusted person who does—there are downloadable tools that can help identify signs of a spyware attempt. One widely used option is the Mobile Verification Toolkit (MVT). MVT is designed to help check a device for forensic indicators that can suggest targeting or compromise.

This kind of self-check can be a first step before escalating to a more formal investigation. That said, using forensic tools correctly often requires care and patience, and results can be ambiguous—especially against sophisticated spyware designed to avoid detection.

Option B: Contact organizations that investigate spyware attacks on civil society

If you’re a journalist, dissident, academic, or human rights activist, there are established organizations that may be able to help investigate. These groups have years of experience working with spyware cases and assisting people who face elevated threats.

  • Access Now and its Digital Security Helpline, which operates as a 24/7 global team supporting civil society and investigating spyware concerns.
  • Amnesty International, which maintains a team that can assist and has deep experience analyzing these threats.
  • The Citizen Lab, a digital rights group at the University of Toronto that has investigated spyware abuses for almost 15 years.
  • If you are a journalist, Reporters Without Borders also operates a digital security lab offering investigations into suspected hacking and surveillance.

These organizations often prioritize civil society cases. If you fall outside those categories, support options may look different.

Option C: If you’re an executive or politician, escalate through institutional security—or vetted private services

For politicians, business executives, and others outside of civil society categories, the first stop may be internal security. If you work at a large company or belong to a political organization, you may have an in-house security team that can coordinate next steps. Even if they aren’t specialized in spyware forensics, they may know where to route the case.

There are also private-sector organizations that offer services in this area. Options that have been pointed to by people familiar with spyware investigations include:

  • iVerify, which offers an Android and iOS app and provides an option for deeper forensic investigation.
  • Safety Sync Group, a startup founded by Matt Mitchell, described as a well-regarded security expert known for helping vulnerable groups improve protection against surveillance.
  • Hexordia, a startup run by forensic investigator Jessica Hyde, offering suspected hack investigations.
  • Lookout, which provides an online form for reporting mobile incidents involving malware, device compromise, and related threats; its threat intelligence and forensics teams may get involved.
  • TLPBLACK, led by Costin Raiu, whose team includes former researchers from Kaspersky’s Global Research and Analysis Group (GReAT). Raiu has said people who suspect they’ve been hacked can email him directly.

As with any sensitive security engagement, choosing who to trust matters. Make sure any provider you approach is reputable, transparent about process and data handling, and clear about what evidence they can realistically expect to find.

Step 4: Understand what a spyware investigation may involve

Spyware investigations aren’t like running a quick antivirus scan. In many cases, the first phase is designed to be minimally invasive.

Typically, investigators may begin by asking for a diagnostic report file that you can generate from your device. That file can sometimes be shared remotely, allowing an initial pass for indicators of targeting or compromise without immediately handing over your phone.

From there, several outcomes are possible:

  • Signs of targeting are detected, which may justify deeper forensic work.
  • Potential indicators of infection appear, prompting a more urgent investigation and mitigation planning.
  • Nothing obvious turns up, which doesn’t necessarily prove you weren’t targeted—only that artifacts weren’t found in the initial review.

If investigators need to go further, they may request a full device backup—or, in some cases, the device itself. This is where timelines can stretch, because modern government spyware is often engineered to evade forensic visibility and to erase traces.

Hassan Selmi, who leads the incident response team at Access Now’s Digital Security Helpline, has described a common pattern as “smash and grab.” The idea: once the spyware lands, it extracts as much data as possible and then attempts to uninstall itself or wipe evidence. One reason for this approach is to protect the spyware maker’s product and reduce the chance researchers can analyze it.

That reality can be frustrating for victims: even with expert support, there may be no definitive proof left behind.

Step 5: Consider whether to go public—on your terms

If you’re part of civil society and receive help from specialized groups, you may be asked whether you want to publicize the targeting. It’s a choice, not a requirement, and support can still be provided without public attribution.

There can be reasons to speak out, including:

  • Calling attention to government targeting and the risks faced by people in similar roles.
  • Highlighting spyware vendor abuse by showing how customers may be using these tools.

At the same time, going public can introduce new risks. The decision should reflect your situation, your safety needs, and guidance from trusted advisors.

Conclusion

A government spyware warning from Apple, Google, or WhatsApp is not a routine security alert—it’s a signal you should respond with urgency, care, and a plan. Harden your devices and accounts, seek qualified help if you can, and remember that the absence of forensic evidence doesn’t always mean the absence of risk. The key is to act quickly, protect your data, and get the right support for your circumstances.

Based on reporting originally published by TechCrunch. See the sources section below.

Sources

Ad

You might also like