This guide draws on technical research from Citizen Lab, Amnesty International’s Security Lab, and Microsoft Threat Intelligence into four active commercial spyware families: Graphite (Paragon Solutions), Pegasus (NSO Group), Predator (Intellexa/Cytrox), and Reign (QuaDream). Actions are ordered by the best tradeoff between ease of implementation and protective effectiveness.
If you, or someone you know, is experiencing domestic violence and digital surveillance may be involved, in addition to the information in this guide, I recommend that you also consult this article on tech safety for survivors of domestic violence on Express VPN.
Tier 1 — Critical: Highest Impact, Easiest to Do
1. Keep your OS and all apps fully updated — always
Applies to: Graphite · Pegasus · Predator · Reign
Every spyware family studied exploits unpatched vulnerabilities. Pegasus’s BLASTPASS and FORCEDENTRY exploits, Graphite attacks on iOS, and Predator’s Chrome and Safari exploit chains all rely on known CVEs that are patched in routine software updates. Enable automatic updates and install them the moment they are available. This single step closes the most documented attack vectors across all four spyware families.
- iPhone: Settings → General → Software Update → Automatic Updates (enable all toggles)
- Android: Settings → System → System Update
- Also update all apps via the App Store or Google Play regularly
2. Enable Lockdown Mode (iPhone) or Advanced Protection (Android)
Applies to: Graphite · Pegasus · Reign
Lockdown Mode on iOS severely restricts the attack surfaces exploited by zero-click spyware. It blocks iMessage attachment auto-processing, restricts link previews, and limits HomeKit and Find My services — all of which Pegasus has weaponized. Citizen Lab research shows Lockdown Mode creates detection side-effects even when operators try to fingerprint it. Advanced Protection on Android applies a similar hardening model. This is one of the most powerful single settings changes available.
- iPhone: Settings → Privacy & Security → Lockdown Mode → Turn On Lockdown Mode
- Android: Settings → Security → Advanced Protection Program (Pixel) or equivalent
3. Restrict WhatsApp group permissions to contacts only
Applies to: Graphite
Graphite (Paragon) was delivered as a zero-click exploit via WhatsApp group invitations. WhatsApp discovered and mitigated this active exploit and subsequently notified over 90 civil society members it believed were targeted. Restricting who can add you to groups directly blocks this documented delivery mechanism and requires no technical expertise whatsoever.
- WhatsApp: Settings → Privacy → Groups → select “My Contacts” or “My Contacts Except…”
4. Disable iMessage (or enable unknown sender filtering) and restrict iCloud Calendar
Applies to: Pegasus · Reign
Pegasus has repeatedly weaponized iMessage as a zero-click delivery channel — through the KISMET, FORCEDENTRY, BLASTPASS, and PWNYOURHOME exploit chains. Reign’s ENDOFDAYS exploit used invisible iCloud Calendar invitations sent to victims without any notification. Disabling iMessage entirely and switching to Signal removes the most exploited single attack surface. At minimum, enable filtering of unknown senders.
- Disable iMessage: Settings → Messages → iMessage (toggle off)
- Or filter unknown senders: Settings → Messages → Filter Unknown Senders (toggle on)
- Restrict calendar invitations: Calendar app → Settings → disable “Allow Invitations From Unknown People” / avoid syncing iCloud Calendar if possible
- Use Signal as your primary messaging app in place of iMessage
Tier 2 — Critical: Network and Environment Hygiene
5. Use airplane mode in contested or protest environments
Applies to: Predator · Pegasus
Both Predator and Pegasus have been deployed via ISP-level network injection — malicious content silently inserted into your internet traffic by cooperating internet service providers. Putting your device in airplane mode when entering a contested area cuts off all cellular and WiFi connections entirely, making network injection impossible. This is the single most reliable countermeasure against strategic injection attacks that operate at the carrier level and requires no setup in advance.
- Swipe to Control Center and toggle Airplane Mode on before entering any protest, demonstration, or politically sensitive location
- Use a separate camera or dedicated device for documentation if you need to record
6. Never connect to unfamiliar WiFi in contested areas; use a trusted VPN
Applies to: Predator · Pegasus
Network injection attacks — documented in use by Predator in Egypt and Pegasus in Morocco — require the attacker to have visibility into your internet traffic. A trusted VPN encrypts traffic before it reaches the ISP, making injection significantly harder. Open or venue WiFi at protests, rallies, or politically sensitive locations is particularly dangerous, as it may be operated or monitored by adversaries.
- Use a reputable, audited VPN (Mullvad, ProtonVPN, or similar no-log providers)
- Prefer your mobile data connection over any unfamiliar WiFi network
- Never connect to open networks named after event venues, activist organizations, or government buildings
7. Do not browse the web or use apps at protests or in contested zones
Applies to: Predator
Predator’s “Aladdin” delivery system can push zero-click exploits through any ad served on a legitimate website or app, targeting your device by IP address or advertising ID. Simply loading a webpage while connected to a monitored network is enough for a silent infection. Browsing also exposes your identity, location, and interests to network-level observers. Keep your browser closed and avoid using apps that make outbound connections in these environments.
- Close all browser tabs before entering contested areas
- Do not look anything up, check social media, or open links while at a protest
- If you need information, look it up beforehand and screenshot it for offline reference
8. Disable 2G connectivity on your device where possible
Applies to: Predator
Intellexa’s “Triton” system uses fake 2G base stations — essentially portable IMSI catchers — to deliver baseband exploits targeting Samsung Exynos chipsets, without any cooperation from an ISP. The attack can operate at distances of hundreds of meters. Disabling 2G on your device prevents it from ever connecting to a fake base station, eliminating this attack vector entirely.
- Android (Pixel): Settings → Network & Internet → SIMs → Preferred network type → select “LTE” or “5G/4G only”
- Samsung: Settings → Connections → Mobile Networks → Network Mode → LTE/3G/2G (auto) → change to LTE only
- iPhone: This option is not available on iOS, making the other mitigations more important for iPhone users
Tier 3 — High Priority: Device Hardening and Monitoring
9. Use a content blocker and limit ad tracking
Applies to: Predator
Predator’s Aladdin vector works through the advertising ecosystem — using advertising IDs, IP-based targeting, and demand-side ad platforms to deliver malicious payloads to specific devices via normal-looking ads. A content blocker disrupts the delivery layer. Resetting or limiting your advertising ID prevents targeting by that identifier.
- iPhone: Use Safari’s built-in content blocking; install an ad blocker (e.g., 1Blocker, AdGuard); Settings → Privacy & Security → Tracking → disable “Allow Apps to Request to Track”
- Android: Settings → Privacy → Ads → Delete advertising ID
- Desktop: Install uBlock Origin in your browser
10. Monitor Apple threat notifications and register your current contact email
Applies to: Graphite · Pegasus
Apple actively notifies users it believes have been targeted by state-sponsored spyware, and these notifications have proven highly reliable. Multiple Graphite and Pegasus victims — including those in the Italian civil society cluster targeted by Paragon — discovered infections or targeting after receiving Apple alerts. Ensure your Apple ID email is current and actively monitored.
- Verify your Apple ID email is current: appleid.apple.com
- If you receive an Apple threat notification, treat it seriously — contact a digital security helpline such as Access Now’s Digital Security Helpline (accessnow.org/help)
- Do not dismiss the alert or assume it is a mistake
11. Use a separate, minimal “travel device” for high-risk situations
Applies to: Graphite · Pegasus · Predator · Reign
All four spyware families target devices that are always connected, logged into accounts, and carrying full digital identities including contacts, message histories, location data, and stored credentials. A secondary phone with a fresh Apple ID or Google account, minimal apps, and no stored communications dramatically reduces the value of any compromise. Reset or restore it after high-risk events.
- Set up a second device with a separate account not linked to your real identity
- Install only essential apps — no social media, no primary email
- Do a factory reset after any situation where you believe the device may have been targeted
12. Run MVT (Mobile Verification Toolkit) forensic checks periodically
Applies to: Graphite · Pegasus · Predator
Amnesty International’s open-source Mobile Verification Toolkit (MVT) can detect forensic traces of Pegasus, Predator, and related spyware on iOS devices via iTunes backup and on Android. Citizen Lab and Amnesty International maintain and regularly update its indicators of compromise. If you believe you are a high-value target, run MVT every one to three months or after any suspicious device behavior — unexpected crashes, battery drain, or data spikes.
- Download MVT: github.com/mvt-project/mvt
- iOS: create an encrypted iTunes backup and run mvt-ios check-backup
- Android: run mvt-android check-adb (requires enabling developer mode)
- If MVT flags anything, contact Access Now’s Digital Security Helpline or Citizen Lab immediately
Tier 4 — Ongoing Operational Habits
13. Keep your contact list and message history lean
Applies to: Graphite · Pegasus · Predator
Once installed, all four spyware families can exfiltrate contact lists, messages, call logs, photos, and location history. Graphite reportedly targets messaging apps specifically to map activist networks. Keeping a minimal contact list and regularly deleting message histories limits the damage if infection occurs. Enable disappearing messages by default on Signal and WhatsApp.
- Signal: Settings → Privacy → Default Timer → set to 1 week or less
- WhatsApp: Settings → Chats → Default Message Timer → enable and set duration
- Periodically review and remove contacts you no longer communicate with
- Do not store sensitive contacts under their real names on your primary device
14. Be skeptical of unexpected messages, links, and calendar invitations — even from known contacts
Applies to: Predator · Reign
While zero-click attacks require no interaction, one-click attacks remain the dominant delivery method for Predator. An Angolan journalist was infected after clicking a WhatsApp link from an attacker who had spent weeks posing as a student to build trust before sending the malicious link. Reign’s ENDOFDAYS sent invisible calendar invitations. Even zero-click attacks may be preceded by social engineering designed to verify a target’s identity. Treat any unexpected communication as potentially adversarial.
- Do not click links sent by unknown numbers, even if the message appears legitimate
- Verify unexpected file attachments or links out-of-band (call the sender on a different channel) before opening
- Decline unexpected calendar invitations from addresses you do not recognize
- If you must open a suspicious link, use a sandboxed browser or a separate, throwaway device
15. Reboot your device regularly
Applies to: Pegasus · Graphite
Some spyware deployments — including documented Pegasus variants — do not persist across device reboots, residing only in volatile memory. Regular reboots may interrupt active infections and force adversaries to re-infect the device, which increases the chances of detection and generates additional forensic traces. This is a zero-cost habit that complements all other defenses and takes seconds.
- Reboot your device at least once daily if you are at elevated risk
- Reboot immediately if you notice unexpected battery drain, overheating, or data usage spikes
If You Believe You Have Been Targeted
Do not factory reset your device immediately — this destroys forensic evidence needed to confirm an infection and identify the spyware family. Instead:
- Stop using the device for sensitive communications
- Contact Access Now’s Digital Security Helpline: accessnow.org/help — free, confidential support for activists and journalists
- Contact Citizen Lab (citizenlab.ca) if you are a journalist, human rights defender, or civil society member
- Preserve the device in its current state for forensic analysis
- Switch to a clean secondary device for communications in the interim
Sources
- Citizen Lab — Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations (Graphite)
- Citizen Lab — Sweet QuaDreams: A First Look at QuaDream’s Exploits, Victims, and Customers (Reign)
- Amnesty International Security Lab — Technical Deep-Dive into Intellexa Alliance Surveillance Products (Predator)
- Amnesty International Security Lab — Intellexa Leaks: Predator Spyware Operations Exposed (Predator/Aladdin)
- Citizen Lab — FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild (Pegasus)
- Amnesty International — Forensic Methodology Report: How to Catch NSO Group’s Pegasus
