When it comes to resilience against complex attacks, iPhones have a reputation for resilience compared to other phone models. However, “resilient” doesn’t mean “impenetrable.” Cybercriminals have succeeded in infecting iPhones with spyware — malicious apps that can monitor and steal data you store on your phone. Let’s look into how iPhone spyware has evolved, how you can learn to detect it, and what tools you need to keep your device safe.
Contents:
The evolving iPhone spyware threat landscape: From Trident to Pegasus to Coruna
Spyware is a type of malware that infects the victim’s device to track their keyboard input and finger tapping, harvest data storage, as well as access the camera and microphone to observe the user. The attacks usually target a specific individual, often on political grounds, without affecting the broader population. However, to execute such sophisticated spyware attacks, hackers first need to break through the general device security — something Apple has made very difficult.
iPhone device security has been many cybercriminals’ favorite puzzle since the smartphone first entered the market in 2007. The Apple device ecosystem uses the “walled garden” approach. It’s a closed ecosystem for iPhones, MacBooks, and other devices under Apple’s umbrella that creates a direct interaction between the hardware and the software and ensures the different Apple-based operating systems offer the same services, integrated products, and security measures.
This ecosystem is strictly controlled by Apple, and any software developer hoping to make their product available on an iPhone must first pass a strict vetting process to prevent any vulnerabilities that could infiltrate the device network. Unlike Android devices, which use a more open ecosystem, iPhones are notoriously difficult to crack.
Criminals have made numerous attempts to break into iPhones over the years. In 2016, the phones were targeted by Trident, spyware designed to exploit three zero-day vulnerabilities found in the operating system. The primary target was a human rights activist who reported suspicious text messages he’d received to security experts, leading to Apple promptly patching the vulnerabilities. Back then, cybercriminals used spoofed links in text messages, hoping the target would open them and install the spyware — a run-of-the-mill phishing strategy to execute sophisticated malware.
Over the years, criminals have become sneakier, relying on more complex strategies to break through Apple’s security barriers. In 2021, Apple had to swiftly issue a software patch for an iMessage vulnerability that posed risks to iPhones and iPads. The Pegasus spyware used in this attack could be installed remotely and was sold to governments as a surveillance and anti-terrorism tool. Pegasus made the headlines again in 2023, when it was revealed that the software was remotely installed on multiple devices to spy on journalists.
In 2025 and early 2026, Google Threat Intelligence Group (GTIG) reported another threat, this time targeting older iOS devices. Coruna, a highly sophisticated exploit kit, was designed to perform a number of unique actions to bypass Apple’s security measures and compromise devices that can no longer receive the latest iOS updates. This exploit was used in watering hole attacks, where criminals lure users into a spoofed website to download malware. The process runs in the background without the user even realizing their phone has been infected.
Around the same time as Coruna’s emergence, another iPhone spyware, Graphite, was discovered. It used a zero-click exploit via a corrupted iMessage account to intercept the device user’s messages. Apple issued alerts to the impacted users and patched the vulnerabilities.
Technological developments have made spyware attacks harder to detect. A decade ago, criminals still needed the user to actively install the malicious program on their device by interacting with a spoofed link. Now, they can execute the code in the background without their target’s knowledge.
Detecting spyware is just as complicated, with dedicated scanners offering limited support. The only true fix for iPhone spyware is Apple’s security patches. Although historically, spyware was used primarily for targeted attacks against individuals or specific groups like journalists and activists, it poses the risk of being exploited as a mass surveillance tool.
How to find spyware on iPhone devices: Signs and solutions
Spyware’s purpose is to infect a device without the user realizing it. It usually targets older devices that rarely, if ever, receive security patches, meaning it can run undetected in the background for an extended time. Nevertheless, figuring out how to check for spyware on iPhone devices is still possible even if you don’t know how the background processes work.
Check technical indicators
When you use a device daily, you can start noticing things going wrong. Malicious software uses a lot of resources for background processes, like accessing the microphone and camera or transmitting files, which leads to sudden battery drainage and your device overheating or running significantly slower than before. Check your device activity to see which processes are using the most resources to identify if a malicious code is running even when you’re not actively using the phone. Keep in mind these signs are also common for older phones running on original hardware, so look for other spyware indications as well.
Identify network anomalies
Spyware requires Wi-Fi and mobile data network access for file transfers, and the more important files your phone possesses, the more resource-heavy those transfers are. If you notice your phone is eating up more data than usual, spyware might be the culprit. Limit how and when you use mobile data by manually switching it off to prevent unauthorized use.
Look for and delete suspicious apps
Spyware can be encoded in a compromised or deliberately malicious app. If you install and run the app, you unknowingly allow spyware to access your device. To date, messaging apps have been some of the most frequently impacted by this type of malicious software. Double-check if the apps on your phone are legitimate. See their reviews on the App Store to confirm whether you’ve installed the legitimate one. If you detect a suspicious app, uninstall it immediately and reboot your device.
Watch out for other unfamiliar activity
Check which accounts are added to your device. If you spot unfamiliar email addresses, phone numbers, and recovery details you never input, your device might be compromised. Keep an eye out for unexpected phone reboots, see if your camera or microphone are working even if you’re not actively using them, and watch out for screen input when you’re not tapping it. All these signs are common traits of iPhone spy software. You should remove all unfamiliar details, reboot your device, and reset your password and recovery method.
Run a hard device reboot
Spyware for iPhones is susceptible to a simple procedure — a hard device reboot. Most spyware trains are non-persistent, meaning they can only run and access your device functions as long as you don’t reboot your phone. If you suspect that your iPhone has been infected with spyware, run a hard reboot. To do this, you need to:
Press the volume up button.
Press the volume down button.
Press and hold the power button for at least 10-15 seconds until the screen goes dark.
Release the power button once the Apple logo appears on the screen.
One-click vs. zero-click attacks: How spyware gets into the device
Typically, malware requires direct user action to be installed, known as a one-click or one-tap attack. This usually occurs when the user receives a phishing link or file over their iMessage, email, or other messaging and communications service. They tap the link, allowing malicious code to detect and exploit a specific active vulnerability. It takes root in the device without the user realizing it. However, if the user doesn’t interact with the link, their device remains safe.
Zero-click (or zero-tap) attacks are more sophisticated and slippery. They take advantage of vulnerabilities without needing the users’ interaction. For instance, the Graphite attack exploited how the iMessage service processed iCloud links. The target would receive a message containing a malicious link containing a code that would trigger the spyware to install. The phone processed the message content and fetched data in the background before the user opened it — hence, a zero-click interaction that led to device compromise.
Zero-click attacks can detect if the iPhone runs an iOS version without the vulnerability patched, allowing it to effectively infect the device. Unlike one-click attacks, the user has no power to prevent them, aside from deleting all communication apps. However, this doesn’t guarantee that other vulnerabilities won’t be exploited in the future.
Lockdown Mode: The feature for the worst day scenario
Spyware attacks typically target specific individuals and can appear less relevant to the average user. However, to protect targeted individuals from highly sophisticated spyware attacks, Apple has developed the Lockdown Mode feature, which alters how certain build-in device features function to protect the user’s privacy and stored data.
Lockdown Mode blocks most message attachments and switches off previews to prevent zero-click exploits. It significantly restricts sharing features, preventing your device from joining shared Apple services or accepting new shared photo albums. If you want to share media items from your device, all location data is automatically excluded to prevent the recipient from seeing it. Lockdown Mode also restricts people from calling you using FaceTime if you haven’t called them in the past 30 days.
To prevent one-click attacks and network interception, Lockdown Mode ignores all non-secure Wi-Fi networks and prevents 2G and 3G support. If you use Wi-Fi with Lockdown Mode switched on, it will impact website loading speed and may prevent some web elements from displaying properly to block potential hidden phishing links. You won’t be able to connect to external accessories or other computers.
To set up Lockdown Mode on your iPhone, you need to:
Open your device’s settings.
Tap “Privacy and security.”
Under the “Security” tab, select “Lockdown Mode.”
Select “Turn on Lockdown Mode.”
Tap “Turn on and restart.” You may be prompted to enter your device’s passcode to confirm.
Lockdown Mode is intended to be an emergency measure for the unlikely scenario of a targeted attack. It doesn’t interfere with emergency features to let you receive essential help. You can choose to exclude some apps from being locked down if necessary. However, this may compromise device security.
How to remove spyware from iPhone devices
If you have definitive proof that your phone has been infected, you can try a few strategies to remove spyware and protect your data:
Reboot the device immediately. This disrupts the in-memory exploits and prevents spyware from gathering further data from your device memory.
Update to the latest iOS version or install the available security patch. Spyware attacks exploit zero-day vulnerabilities, so make sure you get the latest security patches on your device.
Use the Safety Check feature. See if anyone has gained unauthorized sharing access to your location and data and revoke it immediately.
Uninstall unfamiliar apps. If you notice an unknown app or see duplicates of the same app, this may be malware. Uninstalling them may help you effectively remove spyware from your device.
Change your Apple Account password. Update your Apple Account login credentials immediately. Use a password generator to ensure the new password is strong and secure. We strongly recommend adding multi-factor authentication to the login process.
Change the iPhone passcode. To prevent attempts to remotely overtake your device, set up a new passcode for your lock screen.
Do a full factory reset. If the previous steps haven’t helped rid your device of the malicious software, run a full factory reset to clean your iPhone completely. If you have any important files, make sure you back them up beforehand.
Upgrade your iPhone. Apple has clear support cut-offs for older iPhone models and iOS versions. If your phone can no longer receive security updates, consider switching to a newer device. Before logging in to your accounts on the new phone, use a data breach monitoring tool to make sure the login credentials haven’t been compromised.
Hardening your iPhone’s resilience
Although companies can dedicate resources to protect their devices from serious exploits, user awareness (or lack thereof) can often open doors for criminals to access sensitive data and overtake device access. To protect yourself from spyware attempts, you should add a few extra steps to your device care practices:
Limit who has access to your phone number. To prevent unknown senders from exploiting iMessage vulnerabilities, only share your phone number with people you trust.
Double-check the apps you install. Make sure you’re downloading an app from a reputable developer to avoid accidentally installing copycat malware. Keep a close eye on messaging apps, which tend to be exploited.
Know your device security. Routinely review your iPhone for changes to your account information, new shared accounts, and adjustments to privacy settings.
Avoid connecting to unprotected Wi-Fi networks. Using public networks poses the risk of traffic interception. If you must use an unprotected network, switch on a VPN first.
Secure your account credentials. Don’t store any passwords in unencrypted notes on your phone. Use a password manager with zero-knowledge architecture to prevent your credentials from being accessed without your knowledge.
A password manager like NordPass can help you stay prepared in case you and your data are targeted by malware. NordPass uses XChaCha20 encryption to provide robust protection for your passwords, passkeys, secure notes, credit card details, and other sensitive information. It also allows you to upload digitized documents to your vault, so you can store sensitive files on your iPhone with extra protection.