It is not rare anymore. Spyware isn’t some exotic threat lurking in the shadows of sci-fi novels. It is here. Early 2025 brought the proof: WhatsApp flagged roughly 90 users across Europe. Journalists. Civil society members. Targeted by Paragon Solutions, an Israeli firm specializing in digital stalking. Months later, Apple dropped alerts for a new wave of iOS victims. Two of them? Journalists again. Hit by Graphite. Zero-click. No tap required. No link clicked. Just compromised.
“These aren’t isolated incidents. They’re the norm.”
Fifteen years of research backs this up. Governments are out there, hacking their critics. The tools are expensive, slick, and designed to steal your entire digital life from the device sitting in your pocket. They record calls. Steal chats. Flip your camera. Track your GPS location in real-time.
So, what do you do?
You lean on the big three. Apple, Google, Meta. They know this game, too. They have built opt-in features meant to raise the wall. Higher walls cost convenience, sure. I’ve used these settings for years. The friction is minor. The safety payoff? Immense. If you suspect you’re on a list because of who you work with, turn these on. Even if you’re just a regular person who values privacy? Turn them on anyway. Why leave the front door unlocked when the latch is free?
Security is a treadmill. Spyware writers find a hole, you patch it, they find another one. Rinse. Repeat. But the features listed below work. Runa Sandvik, who has spent over a decade protecting journalists, put it simply:
“These features are free, easy to enable… and the best defense we have against sophisticated spyware. If the features get in the way, you can turn them off. The cost of trying them is nearly zero.”
Here is how you harden your defenses.
Apple’s Lockdown Mode
This is the nuclear option. Available on iPhones and other Apple devices. When you toggle it, the phone changes behavior. Drastically.
Evidence exists. Citizen Lab reported that Lockdown Mode successfully blocked a Pegasus attack by NSO Group. Apple claims, as of March, no successful attacks on devices with the mode active.
What breaks when you turn it on? Quite a bit.
- iMessage blocks almost all attachments. Only specific image/video/audio types slide through.
- Links in iMessage are stripped of previews. Just raw web addresses.
- Safari blocks fonts and certain web tech.
- FaceTime rejects strangers or people you haven’t touched in 30 days.
- SharePlay and Screen Sharing? Dead.
- No auto-connecting to public Wi-Fi.
- No 2G or 3g networks.
It strips location data from shared photos. It disables Game Center. It makes connecting to computers require your passcode.
To enable it:
Go to Settings > Privacy & Security > Lockdown Mode. Turn it on. The device restarts.
I’ve used it. Websites felt weird at first. Glitchy. That passed. You can still selectively disable parts for specific sites without killing the whole feature. It takes a week to adjust. Then, it becomes invisible.
Google’s Advanced Protection Program
Google rolled this out in 2017 to fight the hackers targeting its own ecosystem. It locks down the account itself.
What changes:
- Third-party apps can no longer sneak in access without explicit, hard approval.
- Deep Gmail Scans hunt for phishing and malicious code in your inbox.
- Android becomes walled. No apps from outside the Play Store. Ever.
- Logins require extra verification steps. Not just a code. A key.
To enable it:
Visit the program’s official page. You will be forced to add a physical security key (or a robust passkey) to your account. Passwords are no longer enough. You need a recovery email, too.
It is a hurdle. A deliberate one. But it stops credential theft in its tracks.
Android’s Advanced Protection Mode
Think of this as Google’s answer to Lockdown Mode, tailored for its own OS. Released last year. It shares the DNA but speaks the language of Android hardware.
Key shifts:
- Play Protect ramps up. Apps get scrutinized for “harmful behavior.”
- Unknown apps are banned. Updates to them? Blocked.
- MTE (Memory Tagging Extension) engages on supported chips. Hardware-level protection against memory exploits.
- The phone locks if it moves too fast. Theft detection.
- Offline for too long? It locks.
- Locked for 72 hours? It reboots automatically. This frustrates forensics tools like those from Cellebrite, making data extraction much harder.
- USB ports are disabled when the lock screen is active.
It blocks 2G connections. It scans for spam calls. It forces HTTPS encryption on Chrome for every single site. JavaScript gets neutered. The attack surface shrinks.
To enable it:
Settings > Security and Privacy > Advanced Protection > Device Protection.
WhatsApp’s Strict Account Settings
WhatsApp is the battleground. Three billion users. The target market for expensive zero-click exploits is huge. NSO Group targeted over 1,000 users there in 2019. Again, last year, dozens more.
The response: Strict Account Settings. Launched earlier this year.
It toggles several switches simultaneously on Android and iOS.
- Two-step verification becomes mandatory.
- You get alerts when contacts reinstall WhatsApp or change phones. Crucial for spotting SIM swaps or account hijacks.
- Attachments and media from strangers are blocked.
- Link previews die.
- Unknown calls are silenced.
- Your IP address is hidden during calls.
- Profile details? Invisible to non-contacts. Last seen, about section, photo—gone.
You become a ghost to anyone not in your trust circle. Only pre-established contacts can add you to groups.
To enable it:
Settings > Privacy > scroll to Advanced > Toggle Strict Account Settings.
Is it annoying? Sometimes. A contact might complain they can’t send you a video file. You can always turn it off for that person, or just tell them to use a secure link instead.
The goal isn’t paranoia. It is leverage. By making the hack expensive, slow, and difficult, you make yourself a less interesting target. You buy time. In the world of digital espionage, time is the only currency that matters.
