Journalists, lawyers, politicians, and human rights activists have all been targeted by NSO’s Pegasus software, and Apple has now said that it will send security alerts to customers whose devices may be been compromised. It has already done so for at least five Thai activists and researchers.

It follows Apple’s announcement yesterday that it is suing NSO for attacking iOS users …


Our NSO guide explains the background, but the tl;dr version is that the Israeli company makes Pegasus spyware to compromise iPhones, and sells it to governments – without being too picky about which ones.

NSO sells Pegasus only to governments, but its customers include countries with extremely poor human rights records – with political opponents and others targeted. A report by Amnesty International said that Pegasus was being used to mount zero-click attacks against human rights activists and other innocent targets.

Notifications for those targeted by NSO

Apple is now actively monitoring devices for signs that they have been compromised by Pegasus, and the company will use three different methods to notify those customers it believes may be affected.

A new support document explains.

Apple threat notifications are designed to inform and assist users who may have been targeted by state-sponsored attackers. These users are individually targeted because of who they are or what they do. Unlike traditional cybercriminals, state-sponsored attackers apply exceptional resources to target a very small number of specific individuals and their devices, which makes these attacks much harder to detect and prevent.

State-sponsored attacks are highly complex, cost millions of dollars to develop, and often have a short shelf life. The vast majority of users will never be targeted by such attacks.

If Apple discovers activity consistent with a state-sponsored attack, we notify the targeted users.

The company will notify users in three ways:

  • iMessage
  • Email
  • An alert in the Apple ID site (seen above)

Apple warns that the ever-changing methods used means that it cannot guarantee to detect all attacks, and also that false alarms are possible. The company stresses that these notifications will never ask users to click on any links, nor install anything. Anyone wanting to verify that an alert is genuine should sign in to and check for an alert at the top of the page.

Finally, the company outlines the key security steps all users should follow to prevent more general attacks.

  • Update devices to the latest software, as that includes the latest security fixes
  • Protect devices with a passcode
  • Use two-factor authentication and a strong password for Apple ID
  • Install apps from the App Store
  • Use strong and unique passwords online
  • Don’t click on links or attachments from unknown senders

To that last one, I’d add don’t do this even if the sender is known unless you are actually expecting them to send you a link or attachment, as it is both easy and common to spoof sender addresses.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear