|

France Warns Apple Users of a New Spyware Campaign: What It Means and What to Do Now

If you use an iPhone in France, you may have seen a worrying message from Apple: a state‑sponsored spyware campaign may be targeting your device. That’s not clickbait—it’s a real alert confirmed by France’s national incident response team, CERT‑FR, and it needs your attention.

Here’s the bottom line: Apple has notified some users that their devices may have been targeted. CERT‑FR is asking anyone in France who received this notification to contact them immediately and to avoid making changes to their device—including restarting it—so investigators can do their work. This is a serious, targeted campaign. But with the right steps, you can protect yourself and your organization.

In this guide, I’ll explain what’s happening, why it matters, how to verify alerts, and exactly what to do next—whether you got a notification or just want to reduce your risk.

Let’s unpack it clearly and calmly.

What Happened: Apple and CERT‑FR Confirm Spyware Targeting

On September 11, the French Computer Emergency Response Team (CERT‑FR), which operates under France’s national cybersecurity agency ANSSI, published an advisory confirming a new spyware campaign targeting Apple users. According to the advisory, Apple began sending threat notifications to targeted users on September 3.

Key points from CERT‑FR’s advisory: – If you received a notification from Apple, at least one device associated with your iCloud account has likely been targeted—and may already be compromised. – There can be a delay of weeks or even months between compromise and the notification. – In France, recipients should contact CERT‑FR immediately and avoid altering their device in any way (including restarting it), to preserve evidence for investigation. – Keep the original Apple email if you got one. Legitimate notifications originate from threat-notifications@email.apple.com or threat-notifications@apple.com.

For context, Apple has been notifying at‑risk users about mercenary spyware since 2021 and has continued doing so regularly. CERT‑FR notes Apple sent at least four waves of alerts in 2025 alone—on March 5, April 25, June 25, and September 3. This aligns with Apple’s broader efforts to protect high‑risk users and disable exploit chains used by advanced spyware vendors.

Useful references: – Apple’s official guidance on threat notifications: Apple Support – If you receive a threat notification – CERT‑FR and ANSSI portals: CERT-FR and ANSSI – Apple’s ongoing security updates: Apple Security Updates

What an Apple Threat Notification Really Means

Let’s be clear. Apple’s threat notifications are serious. They indicate your device may have been deliberately targeted by a sophisticated actor—often using expensive, hard-to-detect exploits. These are not random malware popups or generic phishing emails.

Important details: – Apple uses a mix of technical signals and intelligence to decide when to notify. They avoid sharing specifics to prevent tipping off attackers. – False positives are rare but possible. That’s why coordination with trusted authorities (like CERT‑FR) is crucial. – Not receiving a notification does not mean you’re safe—only that Apple has not detected targeting tied to your account at this time.

Here’s why that matters: mercenary spyware like NSO Group’s Pegasus or Cytrox’s Predator often uses “zero‑click” exploits—no taps needed—to infect devices through messaging apps or web services. These tools target specific individuals such as journalists, human rights defenders, policymakers, and senior executives. Investigations by groups like The Citizen Lab and Amnesty International’s Security Lab show how common and global this threat has become.

If You Received the Apple Alert in France: Follow This Exact Playbook

If you got a notification from Apple, treat it as high‑priority. CERT‑FR’s advice is precise because evidence can be fragile.

Do this now: 1. Do not restart, wipe, update, or modify the device. Avoid logging out of iCloud, removing apps, or changing settings. Every change can erase forensic evidence. 2. Keep the original Apple email. Preserve headers and all content. It helps investigators validate authenticity and timing. 3. Contact CERT‑FR from a safe device. Use a separate phone or computer that you believe is uncompromised. Reach out via CERT-FR’s contact page and follow their instructions. 4. Minimize sensitive activity on the potentially compromised device. Until an investigator advises otherwise, avoid discussing private matters or opening sensitive documents on it. 5. Inform your organization’s security team (if applicable). Use a secure channel and a separate device.

A note on communications safety: If you believe your device may be compromised, assume messages, calls, and nearby audio could be exposed. Coordinate via a trusted alternative—like a known‑clean device, a landline, or in person. For broader guidance, see the EFF’s Surveillance Self‑Defense.

How to Verify Your Apple Alert Is Real—and Spot Phishing

Advanced attackers also send fake “security alerts” to trick you into clicking links or entering your password. Don’t fall for it.

Verify a real Apple notification: – Check the sender. Legit emails come from threat-notifications@apple.com or threat-notifications@email.apple.com. – Sign in at appleid.apple.com from a trusted browser. If you’ve been notified, you’ll see a prominent warning after you sign in. – Cross‑check with Apple’s guidance: Apple threat notification FAQ.

Red flags for phishing: – Urgency that pressures you to click a link or download an app. – Requests for passwords, verification codes, or credit card info. – Non‑Apple domains (look closely at the URL, including misspellings).

If you’re unsure, do not click links in the email. Instead, go directly to appleid.apple.com or contact Apple Support from their official site.

No Alert? Don’t Wait—Reduce Your Spyware Risk Today

Even if you didn’t receive a notification, now is the perfect time to harden your devices. CERT‑FR’s recommendations are practical and effective.

Start with the basics: – Enable two‑factor authentication (2FA) for your Apple ID: Set up 2FA – Update all devices promptly. Turn on automatic updates, especially for security patches. – Don’t click suspicious links. Be wary of unexpected messages, especially with attachments or shortened URLs. – Use unique, strong passwords and a reputable password manager. – Review your Apple ID devices and sign‑ins regularly.

Go further with targeted hardening: – Enable Lockdown Mode if you’re at elevated risk (more on that below). – Separate work and personal use. Ideally, use different devices. At minimum, use separate Apple IDs for work and personal. – Audit installed configuration profiles and VPNs. Remove any you don’t recognize (on a non‑compromised device, or with help from an admin). – Favor official app stores and avoid sideloading or enterprise profiles you don’t control. – Consider daily restarts as a hygiene measure. Some spyware relies on in‑memory techniques that a reboot can disrupt. This won’t fix a deep compromise, but it can reduce exposure between updates.

Important exception: If you received Apple’s threat notification and live in France, follow CERT‑FR’s instruction not to restart or modify your device, to preserve evidence.

Lockdown Mode: When to Use It and What It Actually Does

Lockdown Mode is Apple’s high‑security setting introduced to blunt the types of exploits used in mercenary spyware. It tightens iPhone, iPad, and Mac attack surfaces by restricting features often abused by zero‑click vulnerabilities—think message attachments, some web technologies, and incoming invitations.

Turn it on if: – You’re a journalist, activist, lawyer, public official, executive, or anyone who may be a target. – You travel to high‑risk environments. – You’ve received an Apple threat notification in the past.

Trade‑offs exist. Some features are limited, and certain apps may behave differently. But the protection uplift is significant for high‑risk users.

How to enable it: – Go to Settings > Privacy & Security > Lockdown Mode and follow the prompts. – Learn more here: Apple – About Lockdown Mode

If you’ve been notified and are working with CERT‑FR, ask investigators before enabling Lockdown Mode. In some cases, changing device state can impact evidence collection.

Why Daily Restarts Can Help (And When They Don’t)

CERT‑FR recommends restarting devices regularly—ideally once a day—to reduce exposure. Here’s the logic:

  • Many high‑end iOS exploits live in memory and don’t persist across reboots unless a persistent foothold was installed.
  • A restart can break the chain, forcing attackers to reinfect, which they can’t always do silently if you’ve updated or enabled extra mitigations.
  • It’s not a silver bullet. Some implants persist across reboots or use configuration profiles and other mechanisms to survive.

Bottom line: Daily restarts are a simple, low‑friction habit that can lower risk between patches. But if you’ve been notified that you were targeted, do not restart until investigators advise you to.

New in iPhone 17: Memory Integrity Enforcement Raises the Bar

In September 2025, Apple introduced a new anti‑exploit mechanism—Memory Integrity Enforcement—in iPhone 17 and iPhone Air. This feature focuses on preventing or disrupting memory corruption, which is the foundation of many high‑end exploits used by spyware and state‑sponsored attackers.

What that means in plain language: – Many hacks rely on tricking the system into reading or writing memory in ways it shouldn’t. Think of it as slipping past guardrails and seizing control. – Memory Integrity Enforcement adds new guardrails—some enforced by hardware, others by the operating system—to make those tricks far less reliable. – When exploitation attempts become unstable or fail more often, attackers need more expensive, complex chains—and those chains are harder to develop and easier to detect.

This builds on Apple’s broader strategy: – Rapid patching of zero‑days, often documented here: Apple Security Updates – Hardening features like Pointer Authentication and Lockdown Mode – Targeted notifications to at‑risk users

Here’s why this matters: high‑end spyware thrives on reliability. When platforms add strong memory protections, zero‑click infections get rarer, and costs for attackers go up. That’s good news for users—especially those most at risk.

Who Is Most at Risk from Mercenary Spyware?

Mercenary spyware is expensive and typically reserved for targeted surveillance—not mass infection. Common targets include: – Journalists and editors – Human rights defenders and civil society leaders – Lawyers and investigators – Political figures and public officials – Business leaders in sensitive sectors (defense, energy, tech, healthcare) – People connected to any of the above

If that’s you, consider Lockdown Mode, strict separation of personal/pro use, daily restarts, and dedicated devices for travel or high-risk work.

For Organizations: Policy‑Level Protections That Actually Work

If you manage a team or an organization, pair user education with structural controls.

Smart policies: – Separate devices and identities. Issue dedicated work devices with managed Apple IDs. Avoid BYOD for high‑risk roles when possible. – Enforce updates. Use MDM to require automatic updates and to block outdated OS versions from accessing corporate resources. – Lockdown for high‑risk roles. Create an opt‑in “high‑risk profile” with Lockdown Mode guidance, travel devices, and special support channels. – Audit configuration profiles and certificates. Restrict who can install them and log all changes. – Minimize attack surface. Limit iMessage or FaceTime to managed accounts; restrict unknown AirDrop. – Build a response playbook. Include steps for when an employee receives an Apple threat notification: who to call, how to preserve evidence, and how to communicate securely.

If you’re in France and an employee receives an Apple notification, sync with CERT‑FR promptly. For organizations outside France, coordinate with your national CERT and Apple’s security channels.

Practical Hygiene Checklist You Can Do Today

A quick, do‑this‑now list—without overhauling your life: – Turn on automatic updates on all Apple devices. – Enable 2FA for your Apple ID and key accounts. – Stop clicking links from unknown senders—verify first. – Remove unknown or unneeded configuration profiles. – Consider Lockdown Mode if your risk is elevated. – Restart your device daily (unless advised otherwise by investigators). – Review your Apple ID devices and sign‑outs at appleid.apple.com. – Use a password manager and unique passwords everywhere. – Back up regularly to iCloud or an encrypted local backup. – Keep an “out‑of‑band” way to communicate during incidents (a secondary device or channel).

Frequently Asked Questions

How do I know if the Apple spyware notification I received is real? – Verify the sender: threat-notifications@apple.com or threat-notifications@email.apple.com. – Sign in at appleid.apple.com. If you’ve been notified, you’ll see a warning after you sign in. – Cross‑check Apple’s official guidance: Apple threat notifications. – When in doubt, don’t click links in the email—go directly to Apple’s site or contact support.

What should I do first if I get the alert in France? – Don’t restart, wipe, or change your device. – Preserve the original email. – Contact CERT‑FR using a separate, trusted device: Contact CERT‑FR. – Limit sensitive activity on the potentially compromised device.

If I didn’t get an alert, does that mean I’m safe? – Not necessarily. It means Apple hasn’t detected targeting tied to your account. You should still update, enable 2FA, and follow best practices.

Does Lockdown Mode make my iPhone “bulletproof”? – No security feature is absolute, but Lockdown Mode significantly reduces attack surface and has blocked real‑world exploit vectors. It’s recommended for high‑risk users and during high‑risk travel.

Can antivirus apps detect this kind of spyware on iOS? – Generally, no. Mercenary spyware relies on sophisticated exploits and hides deep in the system. Detection often requires specialized forensics. Focus on prevention, rapid updates, and response plans.

Why does CERT‑FR say not to restart if I get a notification? – Investigators need the device in its current state to capture volatile evidence. A reboot or update can erase crucial clues about the exploit or implant.

Is restarting daily actually helpful? – It can disrupt some in‑memory implants and reduce exposure between patches. It’s not a cure‑all. If you’ve been notified and are working with investigators, don’t restart until they say so.

What is Memory Integrity Enforcement on iPhone 17? – It’s a new defense focused on memory corruption attacks. By enforcing stricter integrity checks, it makes many exploit techniques less reliable—raising the cost for attackers and reducing successful infections.

Who should consider separate devices for work and personal use? – Anyone handling sensitive data or operating in high‑risk environments: executives, public officials, journalists, lawyers, and security practitioners. Separation reduces cross‑contamination and lowers blast radius.

Where can I learn more about mercenary spyware? – Investigative research: The Citizen Lab and Amnesty Security Lab – Apple security updates and mitigations: Apple Security Updates

The Takeaway

Apple’s latest wave of threat notifications—and CERT‑FR’s rare public advisory—signal a serious, ongoing campaign targeting select Apple users in France. If you received an alert, preserve your device, keep the email, and contact CERT‑FR from a safe device right away. If you didn’t, this is your cue to harden your setup: updates on, 2FA enabled, Lockdown Mode if you’re at risk, and smart daily habits like careful link hygiene and regular restarts.

Security is a process, not a panic. Each step you take—big or small—raises the cost for attackers and lowers your risk.

If you found this helpful and want more practical guides on staying safe from sophisticated threats, consider subscribing for future updates and deep dives. Stay safe out there.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

Browse InnoVirtuoso for more!