India’s Ministry of Electronics and Information Technology (MeitY) has issued a notice to Apple following a new wave of “mercenary spyware” threat notifications sent to Indian users in early December. The alerts, part of a global campaign by Apple and Google on December 2-3, indicate attempted remote compromise of user devices linked to state-sponsored or mercenary surveillance tools. The Indian Computer Emergency Response Team (CERT-In) has released a formal advisory urging affected users to update devices, enable Lockdown Mode, and seek technical assistance if needed.
Alert Content and CERT-In Advisory
CERT-In released advisory CIAD-2025-0048 on December 5, detailing Apple’s notifications to users globally who may have been targeted by state-sponsored or mercenary spyware operations. Apple’s threat intelligence signals that hostile actors attempted to remotely compromise devices linked to users’ Apple IDs. The advisory recommends immediate action: install iOS update 26.1, update messaging and cloud applications, enable Lockdown Mode, and remain cautious of suspicious prompts.
CERT-In has established a dedicated email channel—submitmobile@cert-in.org.in—for users who have received such notifications and wish to have their Apple devices examined or access technical support. This institutional response underscores the severity with which India’s cybersecurity authority is treating the threat and the government’s readiness to assist affected citizens.
Global Context and Mercenary Spyware Threats
Apple’s threat notifications, issued jointly with Google, reached users globally and indicated attempts by sophisticated threat actors to compromise devices. Such notifications typically reflect high-confidence threat intelligence from Apple’s internal security teams and suggest that attackers were actively targeting specific user populations using advanced surveillance tools.
Mercenary spyware—commercial surveillance tools sold to governments and private entities—represents a distinct threat category. Unlike commodity malware, these tools are engineered for stealth, persistence, and exfiltration of sensitive data. They often exploit zero-day vulnerabilities or legitimate system features to maintain access without triggering standard security alerts.
Government Action and Policy Precedent
This is not the first instance of Apple’s threat notifications prompting official Indian government engagement. In 2023, MeitY sought clarification from Apple after several opposition politicians and journalists reported receiving similar alerts. At that time, Apple met with MeitY and CERT-In, stating that its notifications were based on internal security indicators and were not linked to or directed against any government.
MeitY’s renewed notice signals heightened vigilance and a pattern of government oversight regarding foreign surveillance activities on Indian soil. The move also reflects broader geopolitical tensions around digital sovereignty and the use of commercial surveillance tools by state and non-state actors.
Escalating Sophistication and Attribution Challenges
Cybersecurity specialists highlight the escalating sophistication of mercenary spyware. Meghna Bal, director at the Esya Centre, noted that commercial spyware continues to weaken both global and domestic cybersecurity frameworks. “Hostile actors can exploit the same vulnerabilities used by mercenary surveillance tools. Unfortunately, these attacks are likely to become more frequent and sophisticated,” she said.
Bal further emphasized the need for non-proliferation frameworks and closer collaboration between governments and industry on threat intelligence. However, such coordination remains difficult due to competing security interests, commercial incentives, and attribution challenges. Even when vulnerabilities are identified, attribution to specific governments or commercial vendors often remains ambiguous.
Implications for Indian Digital Security
The mercenary spyware alerts have broad implications for India’s digital security posture. High-profile targets—politicians, journalists, activists, business leaders—are routinely subjected to targeted surveillance. The use of commercial spyware tools by state and non-state actors creates a baseline threat environment that standard device security cannot fully mitigate.
For Indian enterprises and government agencies, the alerts reinforce the urgency of implementing device management, network segmentation, and endpoint detection and response (EDR) solutions that can identify anomalous behaviour even when attackers use advanced tools. For individual users, the alerts underscore the importance of maintaining updated device software, using strong authentication, and exercising caution around unusual system prompts.
Government Response and Digital Sovereignty
MeitY’s proactive notice and CERT-In’s technical advisory demonstrate India’s commitment to supporting affected users and maintaining transparency around foreign surveillance threats. The move also signals India’s broader digital sovereignty agenda: asserting government oversight of foreign technology companies’ security practices and ensuring that Indian citizens are protected from external surveillance campaigns.
As India’s digital economy expands and regulatory frameworks like the DPDPA mature, government-industry coordination on threat intelligence, vulnerability disclosure, and rapid response mechanisms will become increasingly central to national cybersecurity strategy.
