A sweeping new cybersecurity advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging all iPhone and Android users worldwide to take immediate precautions amid growing evidence that advanced commercial spyware is being deployed to infiltrate smartphones — even those protected by encrypted messaging apps such as Signal, Telegram and WhatsApp.
The alert comes after reports of a dangerous spyware tool, known as “Sternus,” which researchers say can bypass end-to-end encryption by compromising the device itself, giving attackers potential access to private messages, photos, calls and location data.
CISA warned that a rising number of hacking groups are using highly sophisticated surveillance tools — once limited to nation-states — to target ordinary users, journalists, activists, government officials and business professionals.
“Everyone With a Smartphone Should Consider Themselves at Risk”
That was the stark message from U.S. officials, who say the capabilities of modern spyware have expanded far beyond traditional cyber threats.
“These tools no longer require deep technical knowledge,” the agency said. “They are now commercially available, widely distributed, and increasingly used for unauthorized surveillance.”
The agency’s advisory emphasizes that phone users must take immediate steps to harden their devices.
CISA’s Recommended Security Measures for iPhone Users
CISA outlined several actions that iPhone owners should implement without delay:
- Enable Lockdown Mode, which restricts potentially harmful features in high-risk situations.
- Disable “Send as SMS” in iMessage settings to ensure messages remain encrypted.
- Turn on iCloud Private Relay to hide browsing activity from networks and trackers.
- Review app permissions, especially for location, camera and microphone access, and revoke any unnecessary privileges.
These steps, CISA says, can dramatically reduce the attack surface exploited by spyware tools.
Google and Android Users Receive Their Own Set of Urgent Guidelines
For Android users, CISA recommended:
- Choosing phones with long-term security support, including models from Google and Samsung.
- Configuring Private DNS using Cloudflare (1.1.1.1), Google (8.8.8.8) or Quad9 (9.9.9.9).
- Activating secure browser features such as “Always Use Secure Connections” and “Enhanced Safe Browsing” in Chrome.
- Ensuring Google Play Protect remains switched on.
- Regularly checking and restricting app permissions.
Cybersecurity experts say Android’s openness makes security hygiene even more critical.
British Cyber Agency Adds Universal Advice for All Phones
The U.K.’s National Cyber Security Centre (NCSC) issued additional universal recommendations:
- Use a strong passcode or PIN; avoid predictable options like birthdays or sequences.
- Enable remote device tracking and data wipe (Find My iPhone / Find My Device).
- Keep phones and apps updated to the latest versions.
- Avoid connecting to unknown or public Wi-Fi networks, which are common hacking points.
Why CISA Says Users Should Stop Using VPNs
In a notable twist, CISA cautioned ordinary users not to use personal VPN apps, warning that many free or low-cost VPN services collect user data or expose traffic to third parties — in some cases worsening security instead of improving it.
“The risk isn’t eliminated,” an official explained. “It is simply transferred from your internet provider to the VPN operator — and many of these companies are opaque, unregulated or directly linked to data brokers.”
The advisory clarifies that only enterprise-level, organization-issued VPNs are considered safe for work purposes.
A Growing Threat Landscape
The rise of commercial spyware tools capable of penetrating even encrypted platforms has alarmed cybersecurity agencies across the world. Experts say tools like Sternus pose a “paradigm shift” in smartphone security, allowing attackers to surveil individuals silently and remotely.
For millions of smartphone users, the warning is clear: strong passwords, restrictive permissions, and built-in security tools are no longer optional — they are essential.
