New iPhone Spyware Warning — Act Now To Prevent Attacks

A new warning has been issued to Apple iPhone users by researchers after they found forensic evidence that Paragon Graphite spyware has taken over targets’ devices.

Cybersecurity researchers at Citizen Lab — which is known to discover and report vulnerabilities such as spyware — found spyware made by Israeli firm Paragon targeting iPhones. It comes after the Italian government admitted using spyware to target civil society.

Apple initially issued an alert on the new spyware targeting a number of iOS users including journalists on April 29. Among the group were two journalists that consented for the technical analysis of their cases, Citizen Lab’s Bill Marczak and John Scott-Railton wrote in their analysis.

After investigating the devices of a prominent European journalist (who requests anonymity), and Italian journalist Ciro Pellegrino, Citizen Lab found forensic evidence confirming “with high confidence that both a were targeted with Paragon’s Graphite mercenary spyware.”

Citizen Lab found evidence linking both cases to the same Paragon operator.

iMessage Zero-Click Attacks

The attacker deployed Paragon’s Graphite spyware using “a sophisticated iMessage zero-click attack,” Citizen Lab said, adding: “We believe that this infection would not have been visible to the target.”

The iPhone flaw, tracked as CVE-2025-43200, was patched in iOS 18.3.1.

Spyware is so dangerous because it provides adversaries complete access to your iPhone, including your microphone, camera, email and messages — even those sent via encrypted apps such as WhatsApp or Signal.

Worse, spyware is often deployed via so called “zero-click attacks” that require no user interaction, taking advantage of vulnerabilities in the iOS operating system. This means the malware ca be delivered via an image sent via iMessage or WhatsApp — and you don’t need to open it to become a victim.

The fact that Graphite was delivered through a zero-click exploit reflects a growing pattern where “sophisticated spyware uses zero-day vulnerabilities to silently compromise devices,” says Adam Boynton, senior security strategy manager EMEIA at cybersecurity outfit Jamf.

What makes Graphite especially dangerous is its ability to operate covertly in memory, often leaving minimal artefacts on disk, says Boynton.

It is capable of creating system-level impersonations — for example, registering hidden iMessage accounts or spoofing security features — to conceal its presence from both the user and standard detection tools. “These tactics make traditional mobile security models insufficient on their own,” says Boynton.

Graphite Spyware — What To Do To Stay Safe

The new spyware warning is certainly scary, but at the same time, Apple’s security architecture remains “among the strongest in the industry,” says Boynton. He points to the iPhone maker’s Lockdown Mode, which reduces the functionality of your iPhone but helps protect it from spyware.

Spyware is extremely targeted, as can be seen from Citizen Lab’s analysis, which focused on journalist’s iPhones. Other groups vulnerable to the malware include dissidents, political figures and business users operating in certain sectors.

In order to help prevent being targeted, Boynton emphasises the importance of keeping iPhones up to date. He also suggests enabling Lockdown Mode on Apple devices if you are in a sensitive or high-risk role.

Another way of disrupting spyware is to turn your iPhone off and on again. But it’s not a permanent solution and if you do suspect the malware is on your device, contact an organization such as Amnesty or Access Now for help.

As researchers reveal more details about the dangers of the Graphite spyware, it is important that you update your iPhone now to the latest software, currently iOS 18.5. Even if you are not a target, upgrading will protect you from a number of flaws that could compromise your iPhone’s security.