The Era of Zero-Click Attacks
Spyware attacks on journalists, human rights defenders, and political dissidents are no longer rare or exotic. In early 2025, WhatsApp notified roughly 90 users — many of them journalists and civil society members across Europe — that they had been targeted by Israeli spyware company Paragon Solutions. Months later, Apple sent threat notifications to a new group of iOS users; forensic analysis confirmed two of them, both journalists, had been hit with Paragon's Graphite spyware using a zero-click attack, meaning they didn't even have to tap a link to be compromised.
These aren't isolated incidents. They're the norm.
For the last 15 years, security researchers have documented countless cases where government hackers have targeted and successfully compromised journalists, human rights defenders, critics, and political opponents. These attacks rely on expensive, sophisticated, and stealthy tools that allow their operators to hack into and install spyware on computers, but especially smartphones, which hold virtually all of the data about a person's daily life.
Apple Lockdown Mode: The Nuclear Option
Apple's most aggressive defense is Lockdown Mode, introduced in 2022 and significantly strengthened in 2024. When enabled, it dramatically reduces the attack surface of your iPhone or Mac:
- Message attachment blocking: All message attachments except images are blocked. Link previews are disabled.
- JavaScript JIT compilation disabled: A major vector for code execution attacks is shut down.
- Wired connections restricted: Your device can't sync with computers or accessories when locked.
- VPN-only browsing: Safari enforces VPN tunnels, routing traffic through encrypted channels.
- Contact sharing limited: Shared albums and lists in FaceTime are disabled.
Apple has expanded its Photo Library face blur feature to include automatic face pixelation for images shared with sensitive contacts — useful for journalists documenting protests or conflicts.
Google's Safe Browsing and Advanced Protection
Google's approach to spyware defense is broader, given Android's dominant market share. The company has quietly layered Enhanced Safe Browsing into Chrome mobile, which proactively warns users when they navigate to phishing sites or download malicious files.
More significant is the Advanced Protection Program (APP) — Google's equivalent of Lockdown Mode but for Google Accounts. APP requires hardware security keys (Google's own Titan Key or any FIDO2/WebAuthn key), blocks third-party app access to Gmail and Drive, and forces account recovery through a strictly defined process.
For Android, Google has introduced Automatic Security Update enforcement: critical security patches are pushed to devices faster, and carriers can't block security updates under new Android partnership requirements.
Google has also expanded Play Protect scanning to cover sideloaded APKs — a common infection vector for spyware on Android devices in regions where sideloading is prevalent.
Meta's Quiet Security Upgrades
Meta, whose WhatsApp and Instagram serve billions, has quietly expanded two-factor authentication (2FA) enforcement and login notification systems across its platforms. In 2025, Meta quietly enabled Default Secret Conversations on Messenger — end-to-end encrypted by default for users who haven't explicitly opted out.
WhatsApp has implemented security code verification improvements: if a contact's device security key changes unexpectedly, WhatsApp now surfaces a prominent warning, a potential signal of a man-in-the-middle attack or device swap.
Perhaps most importantly, Meta has started limiting link previews — when you share a URL, the platform no longer fetches a full preview in the background, eliminating a known attack surface used by spyware vendors to inject malicious payloads through link metadata.
What This Means for Builders
For technical founders and product-minded developers, this shift signals a broader trend: security is becoming a default UX layer, not an optional add-on. Apple, Google, and Meta are converging on a model where:
The next time you ship a consumer app, ask yourself: are you giving users a meaningful way to harden their security posture, or just adding a settings page checkbox that nobody sees?
The Arms Race Continues
Spyware vendors aren't standing still. NSO Group's newer Graphite variant, analyzed by Citizen Lab in 2025, exploited a vulnerability in iMessage's image rendering pipeline — requiring zero user interaction and leaving minimal forensic trace.
Paragon's operations in Europe represent a new breed of commercially available spyware with government customers. The product is sold as a service, with regular updates, professional support, and plausible deniability.
This means the defense tools built by Apple, Google, and Meta will need to evolve faster than ever. For now, the message is clear: your smartphone is both your greatest vulnerability and your most important line of defense. The companies building those devices are finally taking that responsibility seriously.