In late 2023, Apple sent threat notifications to iPhone users in more than 90 countries, warning them that mercenary spyware may have targeted their devices. The alerts were not hypothetical. Investigations by Citizen Lab and Amnesty International later confirmed that commercial surveillance tools like NSO Group’s Pegasus and Intellexa’s Predator had been deployed against journalists, lawyers, and opposition politicians on multiple continents. By spring 2025, the Cybersecurity and Infrastructure Security Agency had published mobile communications best-practice guidance that treats smartphone surveillance not as a future possibility but as a present operational threat.
That federal document names journalists, activists, senior government officials, and corporate executives as the people most likely to face targeted mobile monitoring. But the techniques it describes do not stay neatly inside those categories. The same spyware sold to nation-states has surfaced on the phones of divorce attorneys, business rivals, and domestic abuse survivors, according to case reports compiled by Kaspersky and the Coalition Against Stalkerware. As of May 2026, the warning signs CISA highlights are worth understanding whether you run a newsroom or simply carry a phone.
Warning signs that something is wrong
No single symptom proves a phone has been compromised, but security researchers consistently flag the same cluster of red flags. Recognizing them early can mean the difference between a quick cleanup and months of silent data theft.
Unusual battery drain. Spyware typically runs persistent background processes to record audio, capture keystrokes, or relay location data. If your phone’s battery life drops sharply without a change in your own usage habits, that background activity could be the cause. Both ESET and Kaspersky have documented surveillance malware that kept device processors active even when screens were off, accelerating battery depletion by 20 to 40 percent in lab conditions.
Unexplained data usage spikes. Exfiltrating photos, messages, and call recordings requires bandwidth. A sudden jump in cellular data consumption, especially during hours when you are not actively using the phone, can indicate that information is being uploaded to a remote server. Check your device’s built-in data monitor (Settings > Cellular on iPhone, Settings > Network & Internet > Data Usage on most Android devices) and look for apps or system processes consuming disproportionate amounts.
Sluggish performance and frequent crashes. Malicious code competes with legitimate apps for memory and processing power. If a phone that previously ran smoothly begins freezing, lagging, or force-closing apps, particularly after you clicked an unfamiliar link or installed a new application, treat the timing as a potential indicator.
Unexpected reboots or shutdowns. Some spyware requires a restart to embed itself more deeply into the operating system. Repeated, unprompted reboots are not normal device behavior and should prompt further investigation.
Unfamiliar apps or permission changes. Review your installed apps periodically. An app you do not remember downloading, or a familiar app that has quietly gained access to your microphone, camera, or contacts, deserves scrutiny. On both iOS and Android, you can audit permissions in the privacy or security section of your settings.
Strange sounds during calls. Clicking, static, or faint voices on calls can have mundane explanations like poor signal, but in combination with other symptoms, they may point to call interception. CISA’s guidance notes that standard SMS and voice calls travel through infrastructure that sophisticated actors can tap, which is why the agency recommends encrypted alternatives.
Why these threats are not limited to high-profile targets
CISA’s guidance was written for people whose communications carry outsized intelligence value, but the underlying vulnerabilities are baked into the mobile ecosystem itself. The SS7 signaling protocol that carriers use to route calls and texts was designed in the 1980s with virtually no authentication. Researchers have demonstrated SS7 exploitation in public since at least 2014, and security firms like AdaptiveMobile have documented its use in real-world surveillance campaigns.
Commercial spyware has also become more accessible. After the U.S. government placed NSO Group on its Entity List in November 2021 and the Biden administration issued an executive order restricting federal use of commercial spyware in March 2023, several competitors moved to fill the market gap. Citizen Lab’s ongoing tracking has identified new entrants selling zero-click exploit chains at price points within reach of smaller state agencies and even well-funded private actors.
Meanwhile, consumer-grade stalkerware, a less sophisticated but far more widespread category, continues to proliferate. Kaspersky’s 2024 stalkerware report found detections on tens of thousands of devices globally, with the software often installed by someone with brief physical access to the victim’s phone. The behavioral indicators overlap significantly with those flagged by CISA: battery drain, data spikes, and unfamiliar background processes.
What you can do right now
CISA’s recommended countermeasures are practical and, for most people, free. They will not make a phone impervious to a well-resourced intelligence service, but they raise the cost of compromise substantially.
Update immediately and continuously. Install pending operating system and app updates as soon as they are available. The majority of known spyware exploits target vulnerabilities that have already been patched. Delaying updates leaves the door open.
Audit app permissions. Go through your installed apps and revoke access to the microphone, camera, contacts, and location for any app that does not clearly need it. Pay special attention to apps you did not install yourself.
Switch to encrypted communications. For sensitive conversations, use end-to-end encrypted messaging and calling apps such as Signal. Standard SMS and carrier voice calls are inherently vulnerable to interception.
Enable Lockdown Mode (iPhone) or choose patched devices (Android). Apple’s Lockdown Mode disables several attack surfaces, including message link previews and certain wireless protocols, that spyware commonly exploits. On Android, select devices from manufacturers that deliver monthly security patches promptly; Google’s own Pixel line is typically the fastest to receive them.
Turn on multifactor authentication. Protect every account tied to your phone number with app-based or hardware-key multifactor authentication. SIM-swapping attacks, where an adversary convinces your carrier to transfer your number to a new SIM, can bypass SMS-based two-factor codes entirely.
Maintain physical control. Many spyware installations, especially stalkerware, require brief physical access. Do not leave your phone unattended in unfamiliar environments, and use a strong alphanumeric passcode rather than a simple four-digit PIN.
Consider a forensic check. If multiple warning signs persist after updates and permission audits, tools like Amnesty International’s Mobile Verification Toolkit (MVT) can scan device backups for known spyware indicators. For non-technical users, the startup iVerify offers a simplified scanning service. A factory reset, restoring only essential apps from a trusted source, remains the most reliable way to remove persistent malware if compromise is confirmed. Back up important files to a secure location before resetting.
Where the public record still has gaps
No federal agency publishes annual statistics on how many consumer smartphones in the United States are found to contain surveillance malware. Without that baseline, it is difficult to know whether the warning signs described above apply broadly or remain concentrated among high-value targets. CISA’s guidance is specific about who faces the greatest risk but silent on prevalence among the general population.
Attribution is another persistent challenge. Even when a device is confirmed compromised, determining who is behind the attack typically requires forensic resources beyond what most individuals or small organizations can muster. State-backed operators may license commercial spyware, while criminal groups may repurpose infrastructure once associated with government campaigns. The result is a public record that almost certainly undercounts the true scale of targeted mobile surveillance.
There is also a subtle tension between routine updates and early detection. When a phone installs an automatic update, it restarts services and resets background processes, which can temporarily mask the very symptoms that would alert a user. A device running spyware might briefly return to normal battery life and data usage after a patch, only for the malicious process to re-establish itself. This does not mean users should avoid updates; the protective value far outweighs the detection trade-off. But it does mean that a single clean day after an update is not proof that a phone is free of compromise.
Until more comprehensive data emerges, the most defensible approach is to follow CISA’s guidance where it is specific, borrow its protections even if you do not consider yourself a high-value target, and resist the urge to fill the gaps in the public record with either complacency or unfounded alarm. The threat is real, the countermeasures are accessible, and the signs are worth knowing.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
