Apple Warns Iranians of iPhone Spyware Attacks

Recent Spyware Targeting of Iranian iPhone Users

Apple has recently alerted over a dozen Iranian citizens that their iPhones were the targets of state-sponsored spyware, as indicated by findings from security researchers.

Reports from Digital Rights Organizations

Miaan Group, an organization dedicated to digital rights within Iran, alongside Iranian cybersecurity researcher Hamid Kashfi, currently based in Sweden, have both confirmed speaking with multiple Iranians who received these alerts over the past year.

Initial reporting on these spyware notifications was first brought to light by Bloomberg.

Miaan Group's Cybersecurity Report

A report released by Miaan Group on Tuesday detailed the cybersecurity landscape for civil society in Iran.

The report highlighted that researchers identified three instances of attacks utilizing government spyware against Iranian individuals.

Two of these attacks occurred within Iran itself, while a third was detected in Europe, with alerts issued in April of this year.

Details on Targeted Individuals

Amir Rashidi, Director of Digital Rights and Security at Miaan Group, explained that two of the targeted individuals come from families with a long-standing history of political opposition to the Islamic Republic.

He noted that numerous family members have faced execution, and these individuals have no record of international travel.

Rashidi believes these attacks represent only a fraction of the total activity, suggesting there have been at least three distinct waves of attacks.

Attribution of the Attacks

While definitive proof is still needed, Rashidi strongly suspects the Iranian government is responsible for these attacks.

He stated that there is no logical reason for members of civil society to be targeted by any other entity.

Forensic Analysis and Victim Response

Hamid Kashfi, founder of the security firm DarkCell, assisted two victims with initial forensic investigations.

However, he was unable to pinpoint the specific spyware vendor involved in the attacks.

Furthermore, Kashfi reported that some victims chose to discontinue the investigation once they understood the gravity of the situation.

Victim Hesitation

“Most victims became alarmed and ceased communication as soon as we explained the seriousness of the case,” Kashfi explained.

He attributes this reaction to the victims’ workplaces and the sensitive nature of the matters at hand, noting that one notification was received in 2024.

Uncertainty Regarding Spyware Vendor

The identity of the spyware manufacturer remains unclear.

Apple's Threat Notifications

In recent years, Apple has been issuing notifications to users believed to be targeted by government spyware, including Pegasus by NSO Group and Graphite by Paragon.

This type of malicious software is often referred to as “mercenary” or “commercial” spyware.

Impact on Spyware Research

These notifications have been instrumental in helping security researchers document instances of abuse in countries like India, El Salvador, and Thailand.

Global Reach of Government Spyware

According to Apple’s support page for “threat notifications,” last updated in April, the company has alerted users in “over 150 countries” since 2021.

This demonstrates the widespread use of government spyware globally.

Apple does not publicly disclose the specific countries or the total number of individuals notified.

Support for Victims

To assist those affected, Apple has been directing recipients of these threat notifications to AccessNow, a digital rights group offering a 24/7 helpline staffed by researchers specializing in spyware attacks.

AccessNow has been actively documenting cases of spyware abuse worldwide.