Apple will warn you of a suspected hacking attackNurPhoto via Getty ImagesUpdate, Dec. 23, 2024: This story, originally published Dec. 21 now includes advice for checking to determine if your iPhone has been infected by spyware using an app called Am I Secure? There is also additional information on how this works to protect governments from nation state eavesdropping on the iOS platform.Apple has been sending users warnings of suspected spyware attacks by way of an iPhone hacking notification system for years. The chances are that you didnt know, especially if youve never received one. Heres another surprise: Apple doesnt offer to help but directs the victims to a non-profit organization instead. Heres what you need to know.Apples iPhone Spyware Hacking Notification System ExplainedIf you were to get a notification from Apple warning you that spyware hackers were targeting your iPhone, youd rightly be more than a little concerned. But how about if that warning didnt offer direct help from Apple itself but rather directed you toward a non-profit organization for advice instead? That, not would appear, iOS precisely what has been happening according to a new report published in TechCrunch. An example of just such a notification was shared with the publication: Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple Account. This attack is likely targeting you specifically because of who you are or what you do. Although its never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning please take it seriously.MORE FOR YOUIn a posting explaining the system, Apple said: Since 2021, we have sent Apple threat notifications multiple times a year as we have detected these attacks, and to date we have notified users in over 150 countries in total.Why You Will Probably Never See An iPhone Spyware WarningConfirming that the vast majority of iPhone users will, thankfully, never see such a notification, Apple explained that the notifications are designed to inform and assist users who may have been individually targeted by mercenary spyware attacks, and, importantly, have been so targeted likely because of who they are or what they do. With these kind of spyware hacking attacks being vastly more complex than your standard cybercriminal activity, and most consumer-facing malware, Apple said, mercenary spyware attackers apply exceptional resources to target a very small number of specific individuals and their devices.The notifications themselves come in two parts: a threat notification after the user signs into their Apple account page and a combination of email and iMessage notifications sent to the addresses and phone numbers associated with that account.How To Check If Your iPhone Has Been Infected By SpywareAs already stated, unless you are in a particularly vulnerable occupation and/or have access to highly sensitive data, it is highly unlikely that you will be targeted by spyware. That doesnt mean the chances are zero, however, so being able to quickly check your iPhone for any signs of such malicious activity is a recommended bit of knowledge to possess.As my colleague Kate OFlaherty recently reported, always keeping your iPhone up to date with the latest software and restart your iPhone regularly, as this can disrupt spywares access to your device temporarily, is good advice. As is using an app to run a quick check. One option is iVerify which has been around for the longest time, but Ive been trying out a newer alternative. The standalone on-premises version of the Am I Secure? app is that is used by government clients to ensure no device data at all, even if not sensitive or private, leaves government control and that they control all discoveries of spyware, such as which users were hit and when, for political and investigatory reasons, Colin Caird, the founder of Numbers Station which developed the app, said.The consumer version is very easy to use, with installation taking moments and a standard scan just a few seconds. The app is capable of detecting even nation-state level implants or spyware like NSO Groups Pegasus, Caird said, and provides the same level of detection capabilities as our government clients. Although the app is free to use for standard scanning, to use the advanced scanning functionality requires a subscription. Theres no access to contacts, camera, microphone etc required, although for the advanced scan Am I Secure? does require you to run an iPhone system diagnostic and share that with the analyzer servers running an AI-powered analysis. This looks for:Existing indicators of compromise that the Numbers Station threat-hunting team has previously discovered.And, via the AI capabilities, anomalies in your devices system diagnostic information that deviate from a known good or expected baseline so they can be triaged for a manual analysis.So far, I must say, Im very impressed with the capabilities of this app. See the screenshot below for an idea of the information presented to the user. However, we recommend users that have a compromise and work in media or human rights contact Access Now, Amnesty Tech or Citizen Lab to perform the forensic work required to determine the vulnerabilities that were exploited, Caird still concluded.Am I Secure? app checks for spyware at a forensic level Davey WinderHow Numbers Station Protects Governments From iPhone Spyware AttacksAs already mentioned, the Am I Secure? app and other Numbers Station tools are already well-known to governments around the world. Our solutions currently protect the personal and state-owned mobile devices of heads of state, prime ministers and cabinet officials from the most advanced cyber threats, Caird said, and in particular is used by multiple NATO governments. As well as protecting senior leadership, various Numbers Station developed security solutions also protect against threats to agency and department staff. Our government clients have already discovered active operations against their devices running the latest versions of iOS, Caird said, although providing evidence of these claims is not possible due to the confidential nature of such threats.This is important, Caird said, because most network monitoring security solutions focus on Linux and Windows threats, and thanks to the extensive use of transport layer security certificate pinning by mobile apps there is zero visibility of the threats posed by iOS and iPadOS devices. Now consider that initial exploitation vectors are oftentimes delivered by way of end-to-end encrypted messaging apps and you start to realize that all these layers of encryption, while good, are also bad: from the detection of threat and compromise perspective at least.Not, of course, that there arent already a number of apps and other security solutions on the market, despite what Caird said. However, he has a defense against this argument, or should that be an attack, whatever: these cannot detect advanced implants/spyware used by nation states, Caird said, if they could you wouldn't see the attacks in the news. Partly, Caird said, this is down to the iOS sandboxing security feature which, perhaps ironically, means that most solutions cannot access the data that would be required to perform meaningful security analysis in the first place. Instead, most will just look to ensure compliance with security policies, test a device that has a passcode enabled, isnt jailbroken and is running the very latest updated version of the operating system, is still vulnerable to nation-state threat actors as multiple headlines over the years should have taught us by now.The Numbers Station iOS/iPadOS Standalone Analyzer used by various NATO governments was developed to address just these requirements. The tool can run on a fully air-gapped network as well as a laptop with no external network access, Caird said, with the results tailored to varying levels of sensitivity as required, ranging from alerts for non-expert users right through to cyber security forensic experts. The way this works is that, rather than relying upon known indicators of compromise, checks use system diagnostic data analysis to uncover anomalies. We do not require a list of already known IoCs Caird said, since they would standout as anomalous anyway. Staff at one government agency, for example, upload sysdiagnose files to an internal file share. Then, on a daily basis, a batch analysis is performed, the results being delivered to in-house cyber security experts to review.I have reached out to Apple for clarification as to why iPhone users are directed to contact a non-profit organization, Access Now, rather than its own security engineers.