Protecting Against Spyware
Spyware is software that can infect your device to spy on you and steal your data without a target's knowledge or consent. Phones are most often targeted because they offer location data, but laptops and other devices can be targeted as well.
Spyware can extract your private messages (even on encrypted messenger apps like Signal), monitor your conversations, track your location in real time, and even turn on your camera and microphone without you being aware. All this data gets sent back to whoever controls the spyware.
Spyware is made and sold by private companies to governments and other clients. It's used heavily in authoritarian countries, but has been deployed by other counties like Spain and Canada. Now, ICE has purchased access to spyware tools.
The two most well-known spyware programs are Pegasus (from NSO Group) and Graphite (from Paragon Solutions). Both companies were founded by executives who used to work for Unit 8200, Israel's equivalent of the NSA in the US.
How likely am I to be the target of spyware?
So far we have observed spyware being deployed against high-profile targets:
High-profile organizers and activists
Human rights lawyers
Investigative journalists
We have also seen cases where families of targets have had devices infected with spyware.
Our assessment is that the vast majority of activists and organizers will NOT be targeted with spyware and would benefit more from protecting against other threats.
We suggest folks start with our Security Essentials Checklist and the come back to this guide. That guide will help you protect against cheaper-to-deploy surveillance technologies like location tracking or phone-cracking software they can use after they seize your device.
There are other less costly methods that authorities resort to in order to surveil, subvert, and sabotage movements. However, as the US continues to slide into authoritarianism, we can expect spyware to be used more broadly against activists.
The good news: the steps you need to take to help protect yourself from spyware will also help you protect against other kinds of attacks that are more likely, so they are good to complete regardless.
Don't panic: It's easy to read about these advanced hacking tools and get very concerned. Most activists will not be targeted with spyware. The authoritarians want us to believe that they are all powerful and can see everything we do. The truth is they can't see everything and we can make it more costly for them to surveil us.
Baseline protections
This section is for anyone doing activism or advocacy work.
Complete our Digital Security Essentials checklist
We recommend going through the steps outlined in our Digital Security Essentials checklist →
Many of these steps will help protect you against spyware.
The two most important things you can do to protect against spyware are (both outlined in the checklist linked above):
Keep your device operating system up to date (never press "update later"!)
Do not click suspicious links. Especially if they are from people you don't know or seem urgent/scary.
Install the latest software updates for your laptop, phone, and apps
The latest updates for your computer, phone, and apps all contain security fixes that help keep your system safe from attackers.
All software contains bugs, which are errors or flaws that can lead to various issues.
Don't wait to update! We know it's tempting to press "I'll do this later" when prompted for an update. Here's why it's important to do right away: When a new update comes out, it's often because a vulnerability in the system/app is now public. That means attackers are now trying to use that method of attack on anyone who hasn't run the updates. The longer you wait, the more vulnerabilities can be used against you.
How to run updates
iPhone
Verify your device is still supported: Check for iPhone models. Make sure there is a "Yes" in the "Supported" column.
Operating System: Settings → General → Software Update
Apps should already be automatically updated unless you have disabled this option.
Mac
Verify your device is still supported: Make sure your Mac isn't on this "obsolete" list. You can check your Mac model by going to the Apple menu → About This Mac.
Operating System: Apple menu → System Preferences → Software Update
Apps installed via the Mac App Store: These apps should already be automatically updated unless you have disabled this option.
Other apps: Check for updates by going to the top menu bar → Click on the app name → Click either "Check for updates" or "About [APP NAME]" or look inside "Settings...". If you don't see an option to update, it may be set to automatically update in the background.
Android
Verify your device is still supported: Checking Samsung models or Google Pixel models depending on your manufacturer. Make sure there is a "Yes" in the "Security Updates" column.
Operating System: Settings → System → System Update (may vary by manufacturer)
Apps should already be automatically updated unless you have disabled this option.
Windows
Update your system: Start → Settings → Update & Security → Windows Update
Verify your device is still supported: After attempting an update, you should be able to see your current operating system version number. Check that version number against this list of Windows versions that are still receiving security updates.
Microsoft Store apps: Make sure you enable automatic updates (on by default).
Other apps: Look for updates in the menu bar under Help > Check for Updates, or search for "Updates" or "About" in the app's settings.
Enable Lockdown Mode (iPhone) or Advanced Protection (Google & Android)
Mercenary spyware is an extremely advanced attack, exploiting sophisticated vulnerabilities on our devices. In response, Apple and Google have introduced an advanced security mode that offers enhanced protection against spyware.
On iPhones, it's called Lockdown Mode and on Android, it's called Advanced Protection Program. (You can also enable Advanced Protection Program on just your Google Account even if you don't have an Android phone.)
We have no reports of anyone getting infected with spyware who had Apple's Lockdown Mode enabled. Android's Advanced Protection is more recent and its effectiveness has yet to be tested.
Usability trade-offs: There are some functionality sacrifices you make for this additional protection. See the lists below. If you encounter issues that don't work for your needs, you can always disable the feature later.
How to enable Lockdown Mode for iPhones
iPhone: Settings → Privacy & Security → Lockdown Mode → Enable
Enabling Lockdown Mode introduces some usability tradeoffs on your phone. See list below.
This feature is available for iOS version 16 and above.
How to enable Advanced Protection on Android
Android: Settings → Security & Privacy → under "Other Settings" tap Advanced Protection.
Note: The location of this setting may vary between Android devices, so we recommend searching for 'Advanced Protection' in the Settings search bar.
This feature is available for Android 16 and above.
Usability trade-offs
For anyone worried about targeted attacks, these usability trade-offs will likely be worth the big increase in security.
iPhone Lockdown Mode: Features that will be harder to use
No clickable links in messages (mainly within iMessage) - Links show as raw URLs and don't work (i.e. are not instantly clickable). You have to copy-paste them manually to a browser. This encourages you to make sure they are safe before doing so, since spyware often arrives via a text message containing a custom-designed link that is impossible to ignore for you in particular.
Most message attachments blocked (also mainly within iMessage) - When receiving PDFs, documents, Office files, contacts, location over iMessage, you might not be able to view them normally and iMessage will indicate "1 attachment." This is because some spyware can be delivered through malicious attachments.
FaceTime calls from unknown contacts blocked - Lockdown Mode will block call attempts from unknown contacts or people you have not been in touch with in the last 30 days. You will be notified if this user attempts to FaceTime you and you can decide to call back if the call attempt is genuine.
Web fonts don't load - Websites appear with system fonts only, often looks weird.
Images may not display - Some images show as missing image icons.
Interactive webpage elements fail - Complex web features, animations, dynamic content often broken.
Location sharing is disabled in Find My. You can see other people's locations but they can't see yours.
iCloud Shared Albums don't work as expected - When you share photos in a shared album, location information is excluded. Shared Album invitations might be blocked too.
Device won't connect to any WiFi automatically - On Lockdown Mode your phone won't connect to insecure WiFi's automatically and you will need to manually connect to the chosen network and accept the security risk.
2G or 3G support is turned off - If you find yourself in a location with 2G or 3G cellular network with Lockdown Mode, your phone will simply not connect (as 2G / 3G is more insecure than 4G / 5G).
Learn more about Apple's Lockdown Mode.
Google/Android Advanced Protection Program:
Security key required - Must use security key/passkey for every new device sign-in to Google Account, which can take some getting used to.
JavaScript optimizer disabled (Chrome) - Some complex websites may not work properly.
No sideloading - Can't install apps from outside Play Store or verified stores.
USB locked when device locked - Must unlock device before connecting USB accessories.
Insecure Wi-Fi blocked - Won't auto-connect to open/WEP Wi-Fi networks.
Enhanced Safe Browsing warnings - More download warnings and potential blocked websites.
Fast charging might not work as expected - You might need to unlock the phone in order to activate fast charging.
Learn more about Android Advanced Protection Program.
Enable iCloud Advanced Data Protection (iPhone) or Google Advanced Protection Program
Apple, Google, and other services offer additional security features to protect against targeted attacks on your accounts and data. These protect your online accounts with each company, not your device itself.
Apple's Advanced Data Protection enabled end-to-end encryption for most of your content.
How to enable advanced on your email/cloud accounts
Protect your data:
iCloud Advanced Data Protection - Enables end-to-end encryption for almost all data stored in iCloud, protecting your information against government court orders. Make sure you save the recovery key somewhere very safe (like a password manager).
Protect your account:
Google's Advanced Protection Program - Helps protect your account from phishing and unauthorized access.
Don't click suspicious links
You can protect yourself against spyware by being cautious about what you click on
Spyware often arrives through a text or email with a link custom-designed to feel impossible-to-ignore specifically for you. These aren't random spam - they're personalized attacks that exploit what matters most to you.
How to catch and respond to suspicious links
When in doubt: Do not click the link!
Instead, Contact the sender (whether a business or a friend) through a different method (call them, use a different app) to verify they actually sent it. Taking 2 minutes to verify is always better than clicking and compromising your device.
If it is a shortened URL like bit.ly or tinyurl.com, you can use ExpandURL.net to view the destination page, but this provides no guarantee that the page isn't Spyware. It just helps you view the true URL so you can make a better assessment of whether you trust it.
Red flags to watch for:
Messages from numbers you don't recognize: We all get messages from services that aren't in our contact book often, so it can take work to discern whether this is a legitimate message or not. If it's someone not in your contact book, approach it with more caution.
Urgency or fear: "Your account will be locked," "Urgent security alert," "Family emergency"
Unfamiliar domain name: Spyware texts often come from weird domains like
adsmetrics[.]coorToo personal: References your activism, recent events you attended, or people you know - designed to bypass your critical thinking
Unexpected messages: A contact sends a link with no context, unusual phrasing, or at a strange time (their account may be compromised)
Shortened URLs:
bit.ly,tinyurl.com, or other link shorteners that hide the real destinationSlight misspellings in the URL:
goog1e.cominstead ofgoogle.com
Spyware messages can be highly targeted. Here are some real-world examples of how Pegasus Spyware has been deployed:
"Dear Carmen my brother died in an accident, I’m devastated, I send you the information about the funeral, I hope you can come: [spyware link]" (source)
USEMBASSY.GOV/ WE DETECTED A PROBLEM WITH YOUR VISA PLEASE GO PROMPTLY TO THE EMBASSY. SEE DETAILS [spyware link] (source)
LX 1955 BCN-ZRH 26Jun2020 - Click on the link to receive your mobile boarding pass [spyware link] (source)
Be aware: Some spyware is deployed using exploits that don't require you clicking a link at all ("zero click exploits"). These might show up as missed calls on WhatsApp, for example.
Enhanced protections
This section is for you if you are in a leadership role or you are doing activism that is more likely be targetted by the state or your opposition.
Remove as many apps as can from your phone/device
If you want to make it tougher for a thief to get into your home, one easy step is to cut down on the number of doors. On your device, each app acts as "door" to the outside world, exposing you to increased risk of attack. If the app has a bug or vulnerability, it makes your whole device vulnerable.
How to remove apps
Scan through all the apps on your phone and computer.
Decide if you truly need it. Many apps can just as easily be accessed via their website instead. It is usually a little more inconvenient, but you get more privacy and security as a result.
Uninstall it if at all possible. If you're not sure, try uninstalling it for a week and see if you can manage without it. You can always reinstall later.
Examples of apps that have been used by spyware in the past:
Turn off link previews on Signal and WhatsApp
When you include a link in a message, it often generates a "link preview." Even though you can't see it, your device is visiting that webpage to extract the correct preview image. If the webpage is malicious, a sophisticated attacker can identify your location or in extreme cases, implant spyware on your phone.
How to disable link previews
Signal: Settings → Chats → Disable "Generate Link Previews"
WhatsApp: Settings → Privacy → Advanced → Disable link previews
Cover the front camera
If you were infected by spyware already, it can perform live surveillance on your device, accessing the camera and microphone. To limit what spies can see, it's a good idea to cover at least your front camera.
How to cover your front camera
Get a sticker that has enough stickiness to be reusable. Or consider this sticker pack from SLNT.
Put it on your phone and your laptop
Move it off temporarily when you need the front camera, then remember to move it back.
Consider getting a secondary or burner phone for activist work
If it fits your workflow, consider setting up a second phone just for your higher-risk work.
Check our Secondary Phone Checklist for more on this.
If you do this, make sure you still take security precautions on all devices. Even though only one device has sensitive communications/data on it, both devices could be a target for spyware since they reveal your location and other personal information an attacker might want.
Reboot your device regularly
We can't be certain whether spyware can survive a reboot (i.e. a restart), as this varies depending on the type of spyware and its license. However, restarting is a costless action that may complicate the efforts of the surveilling party to continue spying on you.
If reboots do indeed disrupt the spyware, the actor attempting to spy on your device would need to reinfect your phone.
Testing Devices
Detecting spyware on a device is not a trivial task and you shouldn't rely just on anyone to test your phone. Civil society globally have turned to these three institutions to help in testing their phones:
Electronic Frontier Foundation (for people in the US)
Each organization will have its own vetting process, and it might take some time for them to respond to your request while they verify everything on their end.
How to notice if you might be infected
Spyware generally presents no noticeable symptoms and infects silently. However, some common complaints from spyware targets over the years have included:
Rapid drainage of the phone battery
Suspicious behavior from certain apps
Abnormal data usage
Receipt of suspicious links or attachments
If you notice any of these symptoms, it does not necessarily mean that your device has been hacked with spyware. We recommend contacting one of the organizations linked above to get your device tested.
Spyware is highly advanced malware that a regular antivirus will not detect. We recommend contacting expert, trusted organizations for support with determining whether your device exhibits signs of (past or present) compromise.
Apple and WhatsApp now regularly notify users they suspect their devices have been targeted with mercenary spyware. Here's more on Apple's threat notifications and WhatsApp's threat notification.
Have Questions?
Let us know if you have questions or feedback so we can make these guides as useful as possible.