2025年12月，数百名 iPhone 与 Android 使用者收到威胁通知，警告其装置曾被间谍软体「锁定」；报导亦提到 Apple 的通知涵盖 84 个国家。几天后，Apple 与 Google 针对疑似被用来植入恶意程式的漏洞释出紧急修补，显示此类攻击虽属高度定向、但正持续扩散并可能影响更广人群。

文章强调「零点击」是关键趋势：不需点连结或下载档案就可能感染，攻击者可读讯息、记录输入、截图、监控通知、存取银行 App，并外传邮件/简讯、窃取凭证、登入云端系统。虽然高阶样本常需鉴识才可确认，但效能突降、过热、连线异常或镜头/麦克风异常启动，以及官方威胁通知，都是重要讯号；另有案例在 2020–2021 年间被 Pegasus 锁定 14 次。

防护重点是降低被植入机率并维持修补：iPhone 可启用 Lockdown Mode（设定→隐私权与安全性→锁定模式），以功能缩减换取更高防护；Apple 亦宣称 mercenary spyware 往往与国家级行动相关、成本可达「数百万美元」且仅针对极少数人。Android 可用 Advanced Protection，并在 Android 16 增强入侵纪录、USB 防护与避免自动重连不安全网路；同时避免可疑连结/侧载、谨慎安装，注意曾影响「数百万」使用者的恶意浏览器扩充套件研究。若怀疑感染，重开机可能暂时干扰，但最保守作法是更换装置，并可求助 Access Now、无国界记者等组织。

In December 2025, hundreds of iPhone and Android users received threat notifications saying their devices had been targeted by spyware, and reporting linked Apple’s alerts to users in 84 countries. Days later, Apple and Google issued emergency patches for flaws experts believe were used in these intrusions—evidence that highly targeted mobile spyware remains “rare” but is proliferating and potentially widening beyond traditional high-risk groups.

A major trend is “zero-click” compromise: infection can occur without tapping links or downloading files. Once implanted, spyware can read messages (including in encrypted apps), log keystrokes, take screenshots, monitor notifications, access banking apps, exfiltrate emails/texts, steal credentials, and pivot into cloud and enterprise systems. Detection is hard; subtle indicators include overheating, sudden slowdowns, or unexpected camera/mic activity, while official alerts from Apple/Meta/Google should be treated as high-signal warnings.

Mitigation emphasizes prevention and rapid patching. Apple points users to Lockdown Mode (Settings → Privacy & Security → Lockdown Mode) and highlights defenses like Memory Integrity Enforcement; it also claims mercenary spyware campaigns can cost millions of dollars and target only a very small number of people. Google’s Android Advanced Protection is enhanced in Android 16 (intrusion logging, USB protection, options to avoid auto-reconnect to insecure networks). Practical steps include avoiding unknown links, limiting installs/side-loading, using reputable VPN/Tor when needed, restarting to disrupt some infections, and replacing the device if compromise is suspected; civil-society support includes Access Now and Reporters Without Borders.