Breaking AI & Tech News Analyzed

The Growing Threat of Spyware Attacks Spyware attacks on journalists, human rights defenders, and political dissidents are no longer rare or exotic. In early 2025, WhatsApp notified roughly 90 users — many of them journalists and civil society members across Europe — that they had been targeted by Israeli spyware company Paragon Solutions. Months later, Apple sent threat notifications to a new group of iOS users; forensic analysis confirmed two of them, both journalists, had been hit with Paragon’s Graphite spyware using a zero-click attack, meaning they didn’t even have to tap a link to be compromised. How Spyware Works and What It Can Do These attacks rely on expensive, sophisticated, and stealthy tools that allow their operators to hack into and install spyware on computers, but especially smartphones, which hold virtually all of the data about a person’s daily life. Spyware gives its operators virtually full access to the target’s device and data. Government spies can record phone calls, steal chat messages, access photos, and switch on the device’s camera and microphone to record ambient sound and record nearby conversations. Spyware also typically tracks a person’s real-time location. Tech Giants Offer Opt-in Features to Counter Spyware In response to these attacks, tech giants now provide their users with better defenses. In particular, Apple, Google, and Meta offer opt-in features specifically designed to counter targeted spyware attacks. Generally speaking, these features add extra protection, sometimes by turning off or limiting some regular features. It’s a tradeoff, but having used these myself for a long time, I have never found them to be too onerous or annoying to use. Apple's Lockdown Mode Apple’s Lockdown Mode is available on all Apple devices, including iPhones. Apple says that when Lockdown Mode is enabled, “your device won’t function like it typically does.” In exchange for this inconvenience, your device will be more secure. There is evidence that Lockdown Mode has helped in the past. Citizen Lab found that Lockdown Mode stopped one spyware attack carried out with NSO Group’s Pegasus software. As recently as March, Apple said it has never detected a successful attack on an Apple device with Lockdown Mode enabled. Google's Advanced Protection Program Google launched its Advanced Protection Program in 2017. This feature is designed to make your Google account more resilient against malicious hackers of all kinds. Advanced Protection Program includes the following features: Requires a physical security key (or a software passkey) as an additional verification factor apart from your passwords. Adds a recovery phone and a recovery email to your account, or uses a backup passkey or security key. WhatsApp's Strict Account Settings WhatsApp launched Strict Account Settings earlier this year, an opt-in feature that switches on some privacy and security controls depending on the operating system. On Android and iOS, Strict Account Settings turns on the following features: Two-step verification. Account protection. The Future of Spyware Protection No security measure is perfect, and it’s a constant effort to keep security flaws at bay. Spyware makers find new ways to hack into phones and services, then software makers learn from those attacks and respond. Rinse and repeat. But that doesn’t mean these features are not worth using. On the contrary; these features have been proven effective. “These features are free, easy to enable, and the best defense we have today against sophisticated spyware,” said Runa Sandvik, a security researcher who has worked to protect journalists and other at-risk communities for more than a decade. “If the features get in the way of something you need to do, you can easily turn them off again — meaning it costs very little to turn them on and try them out.”

The Lead: Google's Android Show Unveils AI-Powered FutureGoogle's virtual "Android Show: I/O Edition" event revealed a comprehensive update to its Android ecosystem, featuring new hardware, AI enhancements, and user experience improvements. The announcements underscore Google's strategic focus on integrating its Gemini Intelligence across devices while expanding its hardware partnerships.Googlebooks: Redefining Laptops with AI at the CoreGoogle introduced Googlebooks, a new line of laptops designed from the ground up for Gemini Intelligence. The company is collaborating with major manufacturers including Acer, Asus, Dell, HP, and Lenovo to create these devices launching this fall. Googlebooks will feature "Magic Pointer" - a cursor with built-in Gemini capabilities, seamless integration with Android phones, and custom widget functionality.Vibe-Coded Widgets: Personalization Through Natural LanguageGoogle unveiled "Create My Widget," a feature allowing users to generate custom widgets using natural language descriptions. This innovation will first roll out on Samsung Galaxy and Google Pixel phones this summer. Users can simply describe what they want - such as "suggest three high-protein meal prep recipes every week" - to create personalized dashboard widgets that can be added and resized on their home screens.Android Auto: Enhanced Experience with Video SupportAndroid Auto is receiving a significant refresh with more personalization options, widgets, and an edge-to-edge interface adaptable to various screen shapes. Media apps like YouTube Music and Spotify are being redesigned for easier in-car use. Notably, Android Auto will support 60fps full HD video playback on YouTube in supported cars later this year, with BMW, Ford, Genesis, Hyundai, Kia, Mahindra, Mercedes-Benz, Renault, Škoda, Tata, and Volvo among the first manufacturers to implement this feature.Gemini Intelligence Expands Across Android EcosystemGoogle is broadening Gemini's presence across its platforms, with the assistant now capable of performing multistep functions across apps. Users can take a photo of an event flyer and ask Gemini to find that event on booking sites, or invoke the assistant with a grocery list to build a cart in their preferred shopping app. Gemini is also coming to Chrome on Android, allowing users to summarize content and ask questions about webpages, with an experimental auto-browse feature capable of completing tasks like booking tickets.Enhanced Security and Privacy FeaturesGoogle is expanding its default-on theft protections to all Android users globally. These features, including Remote Lock and Theft Detection Lock, will be enabled by default on new Android 17 devices, freshly reset devices, or those upgraded to the latest OS. The company is also reducing the number of PIN/password guess attempts a thief can make and increasing wait times between failed attempts. Additionally, Pixel users with Advanced Protection Mode now have access to Intrusion Logging to investigate suspected spyware attacks.The Future of Android: Seamless Integration and AI AssistanceGoogle's announcements signal a future where AI seamlessly integrates into daily tasks across devices. The company is working to break down barriers between platforms, with Quick Share expanding to work with iPhones from various manufacturers and a new iOS-to-Android transfer feature allowing users to import passwords, photos, messages, and more. The introduction of features like Rambler in Gboard, which converts speech to cleaned-up text by removing filler words, demonstrates Google's commitment to natural interaction with technology.

The Lead Paragon Solutions, an Israeli surveillance tech maker, is facing criticism for its lack of cooperation with Italian authorities investigating a spyware attack that targeted journalists and activists. The company had previously promised to help investigate the scandal. Paragon's Uncooperative Stance Last year, WhatsApp and Apple notified several people in Italy, including journalists and activists, that they had been targeted with government spyware. Paragon Solutions was pointed out as the company that provided the technology for a hacking campaign that targeted around 90 people around the world with its 'Graphite' spyware. Italian prosecutors sent a formal request for information to Paragon, via the Israeli government, but a year after the investigations were opened, the company has yet to respond. The Data Analysis 90 people around the world were targeted by Paragon's Graphite spyware. Several people in Italy, including journalists and activists, were notified by WhatsApp and Apple that they had been targeted. The Impact Analysis Paragon's move was likely motivated by its longstanding attempts to appear as an ostensibly more righteous alternative to other spyware makers, such as NSO Group or Intellexa, which have been ensnared in countless scandals around the world. The company's official website, which no longer loads, said it provides customers 'with ethically based tools, teams, and insights.' The Prediction The investigation is still ongoing, and it remains to be seen how Paragon's lack of cooperation will impact the case. The company's contract with the U.S. Immigration and Customs Enforcement (ICE) may also come under scrutiny.

In his 15-year tenure as Apple's CEO, Tim Cook has cultivated an image of the tech giant as a steadfast defender of privacy rights, famously calling it "a fundamental human right" and positioning Apple as the obvious choice for privacy-conscious consumers. Yet as Cook prepares to depart from the role in September, his privacy legacy appears increasingly complicated, marked by stark contradictions between Apple's public stance and its practical compliance with government demands, particularly in China. Key Developments Under Cook's leadership, Apple has made several high-profile moves that established its privacy credentials: In 2015, Apple resisted the FBI's demand to unlock the iPhone of a San Bernardino shooter, with Cook writing an open letter explaining that creating a "back door" to the iPhone would be "too dangerous to create" In 2021, Apple introduced App Tracking Transparency, allowing iPhone users to limit app tracking and threatening to remove apps that tracked users without permission The same year, Apple sued Israeli spyware firm NSO Group, accusing it of surveilling iPhone users Cook consistently criticized competitors like Meta and Google for their expansive data collection practices, calling it "surveillance" However, Apple's actions in international markets tell a different story: In 2018, Apple transferred Chinese users' iCloud data to a state-backed datacenter in Guizhou, allowing Chinese authorities easier access to user information In 2024, Apple removed popular messaging apps including Telegram, WhatsApp, and Signal from the Chinese App Store at government request The company's "private relay" feature, designed to prevent anyone from seeing a user's identity or browsing activity, was not made available in China or Saudi Arabia Similar concessions were made in Russia, with user data moved to local servers Data & Market Impact Apple's relationship with China has significant financial implications. The company reported a "massive spike" in iPhone revenue driven by renewed demand in China in its latest earnings report. China represents Apple's second-largest and fastest-growing market, crucial for both its supply chain and consumer base. The concessions to Chinese authorities have had measurable impacts on user privacy: The transfer of iCloud data to China's Guizhou-Cloud Big Data center enables Chinese officials to bypass American courts to obtain user data directly Human rights groups including Amnesty International have expressed concerns that this arrangement has facilitated China's crackdown on dissidents A New York Times investigation found that tens of thousands of apps disappeared from Apple's Chinese App Store over several years, including foreign news outlets, gay dating services, and encrypted messaging apps Why This Matters Tim Cook's privacy legacy matters for several reasons: For consumers globally, Apple's contradictory approach to privacy creates confusion about what privacy protections they can actually expect. While Western users benefit from Apple's strong privacy features, users in authoritarian regimes are left vulnerable to government surveillance through compromised systems. For businesses, Apple's situation highlights the fundamental tension between global corporate operations and local legal requirements. As companies expand into international markets, they must navigate increasingly complex privacy landscapes that vary dramatically by region. For the tech industry, Apple's mixed signals on privacy set a concerning precedent. When the industry's most valuable company by market capitalization champions privacy in one market while compromising it in another, it creates a fractured standard that other companies may follow to maintain market access. For democracy and human rights, Apple's concessions in China represent a troubling trend of tech companies enabling authoritarian control. By making user data accessible to Chinese authorities and removing applications that facilitate free expression, Apple has become complicit in systems that suppress dissent and monitor citizens. Expert Insight The contradiction in Apple's privacy approach stems from a fundamental business dilemma: maintaining its ethical stance while preserving access to critical markets. As Katie Paul, director of the Tech Transparency Project, notes, "Apple has been very good at being a pioneer at marketing privacy protections – but in reality, we found that a lot of that doesn't actually play out in the way it operates." Cook's philosophy of "getting in the arena" rather than "yelling from the sidelines" reflects a pragmatic approach to global business that prioritizes market presence over principled stands. This approach has allowed Apple to maintain its significant presence in China, but at the cost of its privacy principles. The situation also reveals the limitations of corporate self-regulation in the absence of strong international privacy standards. Without consistent global frameworks, companies like Apple are left making ad hoc decisions that balance ethical considerations against commercial interests, resulting in inconsistent application of privacy protections. What Happens Next As Cook prepares to step down, Apple's privacy approach may undergo significant changes: Successor's Privacy Philosophy: Apple's next CEO may take a different approach to privacy, potentially either doubling down on consistent global privacy standards or further prioritizing market-specific compliance. Regulatory Pressure: With increasing global focus on digital rights and data protection, Apple may face greater scrutiny from international bodies regarding its inconsistent privacy practices. Technological Solutions: Apple may develop new technical approaches to privacy that can comply with local regulations without compromising user data, such as advanced encryption techniques that maintain user protections even when data is stored locally. Market Divergence: We may see Apple developing different product versions for different markets, with enhanced privacy features in democratic nations and compliance-focused versions in authoritarian regimes. Industry Standards: Apple's approach could influence other tech companies, potentially leading to a two-tier system of privacy protections globally or prompting stronger international agreements on digital rights. Consumer Backlash: Privacy-conscious consumers in democratic nations may increasingly question Apple's commitment to privacy, potentially affecting brand perception and market position. As the digital landscape continues to evolve, Apple's approach to privacy will likely remain a central issue in discussions about corporate responsibility, human rights, and the future of digital freedom.

The Lead Apple has rolled out critical security updates for older iPhone and iPad models to counter a sophisticated web-based attack known as DarkSword. The release of iOS 18.7.7 and iPadOS 18.7.7 is a direct response to a leaked set of hacking tools that can compromise devices running versions 18.4 through 18.7. Understanding the DarkSword Vulnerability DarkSword is a sophisticated exploit kit that operates through a 'drive-by download' mechanism. Attackers do not need to trick users into clicking suspicious links; instead, simply visiting a legitimate website that has been breached can trigger the malicious code. This allows the toolkit to break into Apple devices and install spyware without the user's immediate knowledge. The Data Impact of the Exploit The capabilities of the DarkSword toolkit pose a significant threat to user privacy. Once a device is compromised, attackers gain access to a wide range of sensitive information, including: Private messages Browser history Location data Cryptocurrency wallet credentials Security researchers have observed these tools being used in targeted attacks across China, Malaysia, Turkey, Saudi Arabia, and Ukraine. User Friction and Update Resistance Despite the severity of the threat, Apple notes that millions of users remain vulnerable because they have chosen not to update their devices. The primary driver for this resistance is the user experience; many users have opted out of the latest software updates to avoid the new 'liquid glass' interface, prioritizing familiarity over security patches. The Role of Lockdown Mode For users who remain at high risk, Apple’s optional Lockdown Mode offers a robust defense. The company has confirmed that this feature effectively blocks attacks that would bypass standard protections, including those from government-sponsored spyware campaigns. Future Outlook on Web-Based Threats The publication of the DarkSword toolkit on the open web signals a worrying trend. As these tools become more accessible, we can expect an increase in low-cost, high-impact cyberattacks targeting older device versions that lack the latest security protocols.

Apple’s Lockdown Mode: Four Years of Zero Successful BreachesAfter almost four years since its launch, Apple has confirmed a significant milestone in consumer cybersecurity: no user with Lockdown Mode enabled has been successfully hacked with mercenary spyware. In a statement to TechCrunch, Apple spokesperson Sarah O'Rourke confirmed that the company is not aware of any successful attacks against devices protected by this feature, representing a four-year streak of effectiveness against some of the most sophisticated state-sponsored hacking tools in existence.The Architecture of Resistance: How Lockdown Mode WorksLockdown Mode is an opt-in security feature designed to harden Apple devices against exploits that are typically used by state-sponsored actors. By restricting certain functionalities, the feature effectively shrinks the attack surface available to hackers.Feature Restrictions: It disables most message attachments and restricts WebKit features.Targeted Threats: It specifically counters exploits used by notorious spyware vendors like the NSO Group, Intellexa, and Paragon Solutions.Zero-Click Exploits: It blocks remote attack chains that do not require user interaction, such as zero-click exploits.Security experts, including Patrick Wardle, describe this as one of the most aggressive consumer-facing hardening features ever shipped. By eliminating entire delivery mechanisms, the feature forces spyware developers to use more complex and expensive techniques to bypass the defenses.The Zero-Breach MilestoneDespite Apple sending notifications to users in over 150 countries alerting them to potential hacking attempts, the data remains clear: Lockdown Mode has not been bypassed in any confirmed case. Independent investigations by organizations like Amnesty International and the University of Toronto’s Citizen Lab have corroborated Apple's findings.Independent Verification: Amnesty International's Donncha Ó Cearbhaill confirmed no evidence of successful compromise where Lockdown Mode was active.Active Blocking: Citizen Lab documented instances where Lockdown Mode actively blocked attacks from NSO's Pegasus and Predator spyware.Evasion Tactics: Some spyware variants have been observed to abort attacks entirely if Lockdown Mode is detected, likely to avoid detection by security researchers.Shifting the Burden of Defense to the ConsumerThe success of Lockdown Mode marks a pivotal shift in the cybersecurity landscape. Historically, high-end security was the domain of governments and large corporations. Apple is now effectively forcing the burden of defense onto the individual consumer.While the feature requires users to accept a trade-off in usability—such as extra steps for copying links or occasional confusing notifications—the data suggests the trade-off is worth it for high-risk targets. The feature has successfully neutralized the most common vectors used by mercenary spyware, rendering them ineffective against the vast majority of attackers.The Future of Digital HardeningLooking ahead, the success of Lockdown Mode sets a new standard for consumer device security. As spyware vendors adapt to this new reality, we can expect a cat-and-mouse game where attackers attempt to find new vulnerabilities. However, for the foreseeable future, Lockdown Mode remains the gold standard for protecting individuals from state-sponsored digital intrusion.

The Coruna and DarkSword Threat For years, the prevailing narrative among iPhone security experts was that breaking through Apple's defenses was a rare, high-barrier event requiring significant resources. However, recent investigations by Google, iVerify, and Lookout have shattered this assumption. Researchers have documented broad-scale hacking campaigns utilizing two specific tools, Coruna and DarkSword, which have been used to target victims globally who are not running the latest software updates. Attack Vectors: Hackers are compromising legitimate websites and creating fake pages to deliver spyware. Key Actors: Involvement of Russian spies and Chinese cybercriminals. Tool Availability: The source code for these tools has leaked online, allowing anyone to launch attacks against older iPhones. The Two-Tier iPhone Security Landscape The discovery of Coruna and DarkSword highlights a critical data point in the current security ecosystem: the existence of two distinct classes of iPhone users. This bifurcation is driven by the introduction of Memory Integrity Enforcement in iOS 26, a feature designed to prevent memory corruption bugs—the very vulnerabilities exploited by DarkSword. Class A (Secure): Users on the latest iPhone 17 models running iOS 26 are protected by memory-safe code and Lockdown Mode, making them resistant to these specific memory-based hacks. Class B (Vulnerable): Users running iOS 18 or older versions remain exposed to memory corruption attacks, as these older systems lack the new safety enforcement layers. Challenging the 'Rare Hack' Myth The widespread use of these leaked tools suggests that spyware attacks are becoming more common and less exclusive. This shift is fueled by a thriving "second-hand" market for exploits, where brokers resell vulnerabilities before they are patched. Experts argue that the rarity of iPhone hacks has been overstated simply because they are rarely documented. As noted by Patrick Wardle, the baseline capability for such attacks is now accessible to a wider range of actors, moving beyond state-sponsored actors to include cybercriminals. The End of the 'Rare Hack' Era The future of mobile security appears to be one of continuous escalation. With the code for Coruna and DarkSword now public, the barrier to entry for launching attacks against older devices has lowered significantly. This indicates that memory-based exploits will continue to plague lagging users, and the market for exploit development will likely expand as brokers seek to monetize vulnerabilities before updates are applied.

The Dual Threat: Coruna and DarkSwordSecurity researchers have identified two distinct but equally dangerous hacking toolkits, Coruna and DarkSword, that have leaked onto the open web. These advanced exploit kits, capable of breaking into iPhones and iPads, were originally developed for high-level government surveillance but are now available for anyone to download.Coruna: Targets iOS 13 through 17.2.1. Linked to Trenchant, a unit within U.S. defense contractor L3Harris, and previously used in Operation Triangulation against Russian targets.DarkSword: Targets iOS 18.4 and 18.7. Leaked on GitHub, making it "plug-and-play" for cybercriminals.The Scale of VulnerabilityThe scale of this exposure is staggering. According to Apple's statistics, nearly one-in-three iPhone and iPad users are still not running the latest software. With over 2.5 billion active devices globally, this implies hundreds of millions of users are susceptible to these attacks.DarkSword is particularly concerning because it targets newer devices running iOS 18.4 and 18.7. Researchers have already tested the leaked code, successfully hacking their own devices to demonstrate the ease of use.From State-Sponsored Espionage to Public ExploitationThis leak marks a dangerous shift in the cybersecurity landscape. Historically, sophisticated tools like Coruna were the domain of state-sponsored actors targeting specific regions, such as the Uyghurs in China or activists in Hong Kong.However, the release of DarkSword represents a move toward indiscriminate cybercrime. The tool is written in web languages like HTML and JavaScript, allowing attackers to launch attacks simply by hosting a malicious website. Victims in China, Malaysia, Turkey, Saudi Arabia, and Ukraine have already been targeted.The Future of Zero-Day WeaponizationThe leak of these tools mirrors the infamous 2017 WannaCry ransomware attack, which was fueled by leaked NSA exploits. Once powerful zero-day vulnerabilities are released into the wild, they are nearly impossible to fully contain.Experts recommend immediate action: users must update to iOS 18.7.6 or iOS 26.3.1. For high-risk individuals, enabling Lockdown Mode remains the most effective defense, as there is currently no public evidence of hackers bypassing its protections.

The Anatomy of the DarkSword LeakSecurity researchers have uncovered a significant escalation in iPhone vulnerabilities following the public release of the DarkSword exploit kit on the code-sharing site GitHub. Unlike sophisticated zero-days that require specialized knowledge to deploy, the leaked files are uncomplicated HTML and JavaScript scripts that can be hosted on a server in a matter of minutes. This accessibility has turned a tool previously associated with state-sponsored actors into a potential weapon for any criminal actor.The toolkit specifically targets iPhones and iPads running older versions of Apple’s operating system, such as iOS 18, which have not yet been updated to the latest iOS software. The code is designed to work "out of the box," meaning no iOS expertise is required to execute the attack. Researchers note that the leaked samples share infrastructure with previous campaigns analyzed by iVerify and Google, indicating a continuity in the threat landscape.The Scale of the VulnerabilityThe implications of this leak are vast, given the sheer number of devices potentially affected. According to Apple’s own data, approximately one-quarter of all iPhone and iPad users are still running older operating systems. With over 2.5 billion active devices globally, this suggests that hundreds of millions of users are currently exposed to the capabilities of DarkSword.Targeted Data: The exploit is capable of exfiltrating forensically relevant files, including contacts, messages, call history, and the iOS keychain (which stores Wi-Fi passwords and secrets).Historical Context: DarkSword was previously alleged to be used by Russian government hackers against Ukrainian targets, linking this new leak to geopolitical cyber warfare.From State-Sponsored to Criminal PlaygroundThe ease with which DarkSword can be repurposed has raised alarms within the cybersecurity community. Matthias Frielingsdorf, co-founder of mobile security startup iVerify, described the situation as "bad" and warned that the tool cannot be contained. The transition of such advanced spyware from a restricted government tool to a public commodity lowers the barrier to entry for cybercriminals.Kimberly Samra of Google and security hobbyist matteyeux have independently confirmed that the leaked code is trivial to use. Matteyeux successfully demonstrated the exploit on an iPad mini running iOS 18, proving that the threat is immediate and actionable for malicious actors.The Future of iOS Security and Lockdown ModeApple has responded by issuing an emergency update on March 11 for devices unable to run recent versions of iOS. The company emphasizes that keeping software up to date is the "single most important thing" for security and notes that devices with updated software are not at risk.Furthermore, Apple highlighted that Lockdown Mode would block these specific attacks. As the industry moves forward, the reliance on software updates and hardening features like Lockdown Mode will become increasingly critical in defending against the commoditization of exploit kits like DarkSword.