Apple is warning that iPhones are being actively targeted by highly skilled attackers using mercenary spyware, and that the only realistic defense for most people is to update and restart their devices without delay. The company is pushing out emergency fixes, telling users that sophisticated hacks are already exploiting previously unknown flaws to quietly access data on their phones. The message is blunt: treat this as an urgent security incident, not a routine software refresh.
Elite spyware turns iPhones into quiet surveillance tools
Apple now says iPhones are under live attack from what it describes as mercenary spyware, the kind of tool usually sold to governments or well funded groups to monitor specific people. The company has framed the campaign as a threat to targeted individuals, warning that these tools are designed to slip past normal defenses and give attackers deep access to messages, photos and other sensitive data on a device. One analysis notes that Apple has already pushed emergency fixes to hundreds of millions of phones and is telling users to restart because the exploits are being used in the wild against real targets, not just in a lab test, with Apple explicitly tying the patches to this new wave of spyware.
Security researchers say this is not a broad smash and grab campaign but a focused operation against people whose data is especially valuable, such as journalists, political figures and activists. Apple itself has previously described these mercenary tools as comparable to earlier platforms like Pegasus, and independent experts now warn that the latest spyware appears to be part of the same commercial ecosystem that sells high end exploits to state level customers. One report stresses that by not upgrading, users are leaving themselves open to spyware that can be installed silently and that, while the spyware currently appears to be aimed at a limited set of victims, it could become a much wider problem if the techniques spread to the masses, a risk highlighted in a warning that millions of iPhone are already at risk.
The critical bugs: CVE exploits and a WebKit zero day
Behind the alarm is a cluster of specific software flaws that attackers are chaining together to compromise iPhones with little or no user interaction. Two of the most serious issues are tracked as CVE identifiers, including CVE-2025-43529, which has been described as a use after free memory vulnerability that lets malicious actors trick the browser engine into running their own code. Security guidance explains that this kind of bug can be triggered through a booby trapped website or link, and that once exploited it can give an intruder a foothold inside the system, a risk that has been tied directly to the current iPhone campaign through references to CVE level flaws.
Apple has also confirmed that at least one of the exploited bugs is a WebKit zero day, meaning attackers found and used it before a fix was available or widely deployed. The company is urging users to install iOS 26.2, describing the release as a focused response to these WebKit attacks and telling people to update and restart now to block the zero day from working. The language in the advisory is unusually stark, with the Security Alert explicitly calling out version 26.2 and warning that the zero day is being used in “sophisticated” attacks against targeted individuals.
Apple’s rare “act now” push to hundreds of millions of users
What makes this episode stand out is the scale and urgency of Apple’s messaging. The company has effectively told hundreds of millions of iPhone owners that their devices are part of a global security emergency, with one analysis estimating that around 800 million devices are potentially exposed and that the warning covers the most popular mobile phone line in the Uni. That same report notes that the alert has been framed as a major warning to iPhone users worldwide, with Kevin Harrish describing how Apple is trying to reach as many people as possible.
Despite that push, adoption of the fix is lagging. One data point cited in the security community is that 50% of eligible iPhone users have still not upgraded to the patched software, even after Apple’s urgent messaging. Analysts warn that this slow uptake turns a targeted spyware problem into a broader consumer risk, because attackers can keep using the same exploit chain as long as a large pool of devices remains unpatched. As one commentator put it, Given the fact that half of users have not yet upgraded, the situation has become a race between Apple’s update system and the attackers’ ability to find and exploit those who are slow to respond.
How to respond if you get an Apple threat or spyware alert
For a small subset of users, Apple is going beyond general software updates and sending direct threat notifications that warn of possible mercenary spyware targeting their specific Apple ID. These alerts can appear as messages at the top of the account management page after you sign in, and they are designed to be clear and hard to miss so that high risk users do not overlook them. Guidance from independent security firms explains that when you see such a notice at the top of your account, you should treat it as a serious signal that your device security needs immediate attention and follow the steps Apple recommends to verify the authenticity of the notification, advice echoed in a walkthrough that starts with the banner appearing At the top of the account page.
Security specialists also stress that receiving an Apple spyware warning does not automatically mean your phone is already compromised, but it does mean Apple’s internal systems believe you are at elevated risk. One detailed explainer frames it this way: Receiving such a notice is Apple’s way of telling you that your account or device has been linked to activity associated with mercenary spyware vendors, including platforms like Intellexa compared to Pegasus, and that you should take concrete steps such as updating, enabling strong passcodes and reviewing your accounts. That same guidance, under the heading Understanding the Alert, emphasizes that users should not panic but should move quickly to harden their devices.
Update, restart, but do not fall for fake Apple alerts
The most important step for almost every iPhone owner is still basic: install the latest iOS and restart the device so that the patches actually take effect. Security researchers like Pieter Arntz have argued that if you were still hesitating about iOS 26 and later, the current spyware wave should settle the debate, because staying on older versions is no longer a viable safety strategy. In practical terms, that means going into Settings, triggering the software update, and then performing a full reboot so that the new code replaces the vulnerable components, a sequence that Pieter Arntz describes as essential to blocking the current WebKit based attacks.
At the same time, users are being warned to distinguish genuine Apple security messages from scams that mimic them. The Apple security alert scam is a type of tech support fraud that uses fake pop ups and browser pages styled to look like official warnings, often claiming that The Apple system has detected a virus and urging you to call a number or grant remote access. Privacy experts explain that genuine Apple alerts only appear within the operating system or official websites, not as random full screen pages or redirects, a key difference highlighted in a guide that asks What a real Apple alert looks like.
Scammers are also sending phishing emails and texts that impersonate Apple, playing on the current wave of concern to trick people into handing over passwords or payment details. Security companies warn that Scammers use fake Apple security alert warnings to exploit fears over data theft, often linking to convincing but fraudulent login pages or urging victims to install bogus “protection” apps. The advice is to treat any unsolicited message about account problems with suspicion, verify it through official channels, and remember that Scammers are actively trying to piggyback on the real spyware crisis.
More from Morning Overview