Spyware attacks are no longer fringe events — they’re hitting people near you

Commercial spyware has moved out of the shadows. In early 2025, WhatsApp notified roughly 90 users — the majority of them journalists and civil society members spread across Europe — that Israeli spyware firm Paragon Solutions had targeted them. These weren’t government officials or military figures. They were reporters and activists whose work made someone, somewhere, politically uncomfortable.

Apple sent its own wave of threat notifications to a separate group of iOS users around the same time. Forensic investigators confirmed that at least two of those users, both journalists, had been successfully infected with Paragon’s Graphite spyware. The attack used a zero-click exploit — meaning the victims never tapped a suspicious link, never opened a strange attachment, never made a single mistake. The spyware landed on their phones anyway.

That detail matters. Most people operate under the assumption that staying safe online is a behavior problem: don’t click the wrong thing, don’t download the wrong app. Zero-click attacks erase that assumption entirely. The infection happens at the infrastructure level, targeting vulnerabilities in the phone’s operating system or messaging apps before the user ever sees a notification.

Security researchers have tracked incidents like these for more than 15 years. What has changed is the target profile. Spyware deployments were once associated with heads of state, senior intelligence figures, and high-profile dissidents in authoritarian regimes. The 2025 Paragon cases confirm the targeting has broadened. Professionals whose work touches on politics, policy, organized crime, or corporate wrongdoing now sit inside the threat perimeter. A journalist covering local government corruption and a foreign correspondent reporting from a conflict zone face versions of the same risk — differing in degree, not in kind.

The tools used against them are no longer experimental. Graphite is a mature commercial product, sold by a company with known clients. This is the spyware market functioning as designed.

What zero-click attacks mean — and why your normal security habits won’t stop them

Most security advice assumes you make a mistake. You click the wrong link. You open a suspicious attachment. You trust the wrong sender. Zero-click attacks eliminate that assumption entirely.

When Paragon Solutions’ Graphite spyware hit two journalists confirmed by forensic analysts in early 2025, neither target did anything wrong. The compromise happened at the moment a message arrived on their devices — no tap, no interaction, no error in judgment required. Apple sent threat notifications to the affected iOS users after detecting the intrusion. The victims had followed every rule in the standard security playbook and it made no difference.

This is how zero-click exploits work. Attackers use vulnerabilities in the software that automatically processes incoming data — messaging apps, image renderers, mail clients — so that simply receiving a malicious message triggers the payload. The attack executes before the user is even aware something arrived.

The consequences for conventional security guidance are severe. “Don’t click suspicious links” fails as advice when no clicking is required. “Only open messages from people you know” fails when the exploit fires on receipt regardless. The entire framework of user-caution-as-defense collapses against an attack vector that doesn’t need user participation.

This is the context missing from most mainstream security coverage. Outlets and IT departments still predominantly frame digital threats as phishing problems — social engineering challenges that better-educated users can sidestep. That framing made sense for a previous era of attacks. It does not accurately describe what commercial spyware like Paragon’s Graphite or NSO Group’s Pegasus actually does.

In early 2025, WhatsApp notified roughly 90 users — journalists and civil society members across Europe — that they had been targeted by Paragon. These weren’t people who got careless. They were operating under the assumption that careful behavior was protective. It wasn’t. Understanding that gap is the starting point for any realistic conversation about spyware defense.

The built-in shields most users have never touched: Lockdown Mode and Advanced Protection

Apple’s Lockdown Mode, introduced in iOS 16 and available on every modern iPhone, is one of the most powerful anti-spyware tools most people have never opened. Enabling it takes about 30 seconds inside the Privacy & Security settings menu. What it does is substantial: it blocks most message attachment types, disables link previews, turns off shared albums, and strips out complex web technologies that spyware like Pegasus and Graphite have historically used to silently compromise devices. The zero-click attack that hit two journalists identified by Apple’s own threat notifications in 2025 exploited exactly the kind of rich media processing that Lockdown Mode shuts down.

Google offers a comparable option for Android users through its Advanced Protection Program, which locks down account access, restricts app installations to verified sources, and adds mandatory hardware key authentication. Neither feature requires a paid subscription, a technical background, or third-party software. Both ship with the phone.

The gap between availability and actual use is stark. Security researchers and digital rights organizations that work with journalists and activists report that even high-risk individuals — people who have already been targeted — frequently don’t know these modes exist until after an incident. Apple does not prompt users to consider Lockdown Mode during setup. Google does not surface Advanced Protection during onboarding. The features sit buried in settings menus, waiting.

That obscurity has real consequences. Paragon’s Graphite spyware reached roughly 90 journalists and civil society members across Europe in early 2025 via WhatsApp, a platform used by billions of people daily. The infrastructure to resist that kind of attack already existed on the victims’ phones. The missing piece wasn’t technology — it was awareness. Turning on Lockdown Mode or enrolling in Advanced Protection won’t stop every threat, but both dramatically shrink the attack surface that commercial spyware operators depend on. The tools are built, funded, and ready. They are simply not being used.

App-level protections: what Signal, WhatsApp, and others are doing differently now

WhatsApp made a deliberate choice in early 2025 that signals how seriously platforms are starting to take spyware as a product problem: it directly notified roughly 90 users — mostly journalists and civil society members across Europe — that Paragon Solutions had targeted them. That’s not a legal obligation. It’s a policy decision, and it marks a meaningful shift from treating spyware incidents as something for law enforcement to handle after the fact.

Signal goes further at the architecture level. Its sealed sender feature strips metadata so that even Signal’s own servers can’t easily tell who is messaging whom. Disappearing messages set a hard expiration on stored data, which limits an attacker’s payoff even if they do gain partial access to a device. The logic is straightforward: a compromised device is less useful when there’s less data sitting on it.

That logic extends to practical hardening steps that security experts consistently recommend. Disabling link previews inside messaging apps cuts off one vector that spyware can exploit to fingerprint a device or load malicious content automatically. Turning off or restricting cloud backups of message data removes a secondary copy of conversations that may sit outside the app’s encryption protections — iCloud and Google Drive backups of WhatsApp messages, for example, have historically been stored without end-to-end encryption by default.

None of these steps make a device invulnerable. Paragon’s Graphite spyware compromised two journalists through a zero-click attack — no link tap required. But app-level hardening functions as a layer beneath device-level protections, not a replacement for them. Reducing the volume of accessible data and cutting off automatic content-loading features shrinks the attack surface that sophisticated spyware has to work with. Platforms building these tools into their products is useful. Users actually enabling them is what makes the difference.

Who should actually be using these tools — and what the threat tiers really look like

Not everyone faces the same threat, and treating them as if they do produces bad advice in both directions.

Security researchers draw a hard line between two distinct populations. The first group — journalists, lawyers, human rights defenders, political dissidents, and activists — faces targeted commercial spyware deployed by nation-states and government clients. These are tools like Paragon’s Graphite and NSO Group’s Pegasus, built to compromise a specific individual’s device without any interaction from the target. In early 2025, WhatsApp notified roughly 90 users, most of them journalists and civil society members across Europe, that Paragon had targeted them. Shortly after, Apple sent threat notifications to another group of iOS users; forensic analysis confirmed two of them — both journalists — had been hit with Graphite via zero-click attack. No link clicked, no mistake made. The phone was simply on.

The second group is everyone else. General users face mass-market threats: phishing links, malicious apps, credential-stealing malware distributed at scale. These attacks are opportunistic, not personal. The defenses that work against them — avoiding sketchy downloads, keeping software updated, using strong passwords — do nothing against a zero-click nation-state exploit.

Most mainstream coverage collapses these two groups into a single anxious warning, which serves neither. Average users get frightened about threats that realistically won’t reach them. At-risk users get generic advice when specific, effective tools already exist on their devices — tools designed precisely for their threat level, which they may never activate because no one told them to look.

A practical threat-tier framework is what most security guides are missing. Before recommending any tool or setting, the first question should be: who are you, and who would want to target you specifically? A human rights lawyer working in an authoritarian context needs Lockdown Mode on iPhone or Advanced Protection on Android, full stop. A person worried about an ex-partner installing stalkerware needs different steps entirely. A general user mainly needs good hygiene habits.

The tier determines the tool. Skipping that assessment is how both over-alarm and under-protection happen at the same time.

The uncomfortable truth: tech companies know, and the tools exist — the gap is communication

The capacity to detect and expose spyware already exists inside the platforms billions of people use every day. In early 2025, WhatsApp identified and notified roughly 90 users — journalists and civil society members across Europe — that Paragon Solutions spyware had targeted them. Apple followed with its own threat notifications to iOS users, and forensic analysis confirmed two of those recipients, both journalists, had been infected with Paragon’s Graphite spyware via zero-click attacks requiring no interaction from the victim whatsoever. These companies demonstrated, in real time, that they have the forensic intelligence to detect sophisticated government-grade spyware and reach victims directly. The detection infrastructure works.

What doesn’t work is the communication strategy surrounding it.

Threat notifications arrive after a device is already compromised. They are reactive by design, functioning as a post-mortem rather than a shield. Meanwhile, both Apple and WhatsApp offer hardened security modes — Lockdown Mode on iOS, advanced chat privacy settings on WhatsApp — that meaningfully reduce attack surfaces for high-risk users. Those features exist right now, buried in settings menus, underpromoted, and largely unknown to the journalists, activists, and dissidents who need them most.

The gap between what platforms can do and what at-risk users actually know is not a technical failure. It is a communication failure, and it is a policy choice. Apple and WhatsApp have the direct lines to their users. They send marketing notifications, update alerts, and onboarding prompts routinely. Delivering plain-language, proactive guidance — “If you are a journalist or activist, here is what to enable today” — is entirely within their existing capability. They have simply not chosen to make it a priority.

Closing that gap requires platforms to treat high-risk user protection as a default communication obligation, not an optional support article buried three clicks deep. Until they do, the tools will keep existing, and the people who need them most will keep not knowing to turn them on.