Cyber Criminals Are Increasingly Targeting iPhones and Macs. Here's How to Thwart Them.

CR asked security experts to explain what's changed and what you can do about it

An Apple iPhone with a red circle imposed over it. Photo: Consumer Reports

For a long time, people assumed that Apple devices—iPhones in particular—were safe from malware and other cyber threats, because they were too limited in number and too tough for cyber criminals to hack.

But attacks against Apple products have grabbed headlines in recent months, prompting concern as Apple raced to release a slew of software patches to fix critical vulnerabilities.

In late March, the company pushed out an update for iPhones, iPads, and Apple Watches to fix a vulnerability discovered by security researchers at Google’s Project Zero.

More on Data Security

In early May, the company released emergency fixes for the operating systems behind iPhones, Apple Watches, iPads, and Mac computers to address a flaw related to the Safari web browser.

And the recent iOS 14.6 rollout featured a handful of non-critical security fixes.

“You could say Apple has had a bad year overall,” says Adam Gordon, a cybersecurity consultant who teaches cybersecurity classes for ITProTV.

He noted the announcement last fall from five hackers who said they had discovered 55 Apple vulnerabilities, 11 of which were deemed critical, over a period of three months. As of October, the group had received just under $300,000 in “bug bounties” from Apple for uncovering the issues.

But just one of those security issues could have commanded a higher sum from a group eager to exploit it, says Richard Hosgood, director of engineering for the cybersecurity firm Votiro.

“A single organization or nation state is willing to pay tens of millions of dollars for something like that,” he says, adding that while Apple does pay substantial bug bounties, “you have to jump through hoops to get it.”

The fact is, while the vast majority of cyber threats still target PCs running the Windows operating system, Apple’s devices are not—and never have been—immune from these dangers. And yet, many security experts were surprised to hear Craig Federighi, Apple’s head of software, actually acknowledge in court last month that the company isn’t pleased with the amount of malware found on its MacOS operating system.

Apple does a better job keeping malicious software out of its iOS mobile platform than MacOS, Federighi said. But, experts warn, threats against smartphones in general are on the rise, as people use them to do more work than ever on the go.

And, the millions of iPhones currently in use—pretty much all running the same software—represent an especially juicy target.

Apple did not respond to requests from Consumer Reports for comment, but here’s what you need to know about the security of your Apple devices—along with tips from cybersecurity experts on how to protect them.

What's Changed?

For many years, Apple’s computers represented just a tiny fraction of the world market, offering little upside for cyber criminals. But that’s changing. In 2020, the company claimed a 7.6 percent share of the global computer market, up from 6.7 percent in 2019, according to the research firm IDC. From one year to the next, global sales jumped 29 percent.

Attacks against Macs increased, too. According to Malwarebytes’ most recent State of Malware report, the threats against Mac computers detected by the company’s antivirus software jumped 61 percent in 2020. But note that the vast majority of those threats targeted business computer systems, rather than consumer devices.

When it comes to iPhones, however, criminals have plenty of incentive to attack, given the size and relative wealth of the user base, and the fact that, unlike Android phones, nearly all iPhones use the same exact operating system.

“iPhones are, of course, ubiquitous, but they are also notoriously hard to attack,” says Thomas Reed, director of Mac and mobile at Malwarebytes. But if breached, they “provide the ultimate attacker paradise,” he adds, noting that security software designed to scan iOS devices for malware doesn’t exist yet, like it does for laptop and desktop computers.

Still, Apple does a very good job of locking down its phones, says Hosgood. In general, they’re much harder to exploit than a traditional computer, which is why the vast majority of threats still target the latter.

And while the slew of recent Apple patches may seem troubling, it proves that security issues are getting resolved instead of looming in the dark.

When it comes to patching, Reed says, Apple has a pretty good track record, quickly rolling out quality fixes. You can do your part by making sure those fixes are installed without much delay.

How to Protect Yourself

To shield your laptops, tablets, and smartphones from security threats, the best thing to do is keep your operating system updated. Try to avoid the online traps that allow attackers to exploit undiscovered problems, too.

Here are some tips for making that easier.

Enable automatic updates. While updating your devices can sometimes be tedious, it’s important to not put off the task because that delays the installation of security patches.

To make things easier, set a phone or laptop up to update overnight, when the process is less likely to disrupt your life. Keep your device plugged in, too, because updates often require that.

Not sure if the device is up to date? Here’s how to check.

On an iPhone, go to Settings > General > Software Update.

On a Mac computer, go to Launchpad > System Preferences > Software Update.

If it’s clear the device is no longer getting operating system updates, it’s time to get rid of it.

Beware of phishermen. Attackers can’t exploit a security bug on a connected device unless you give them a way in. That usually happens when you click on a malicious link or attachment in an email, text message, or social media post.

While Apple and Google both do a pretty good job of keeping dangerous apps out of their stores, they occasionally sneak through and can be tough to spot. Beware apps that ask to collect more information than you’re comfortable giving. And don’t download apps from a third-party store. That’s almost always a bad idea.

If you think your phone already has been compromised, don’t just delete the malicious file or app. That won’t fix the problem. You’re going to have to perform a factory reset. (Hopefully, your data is backed up in the cloud, so you can restore it once the process is done.) If something still seems off, take the phone to a professional.

Use AV software. Macs and mobile devices need antivirus software, too. And there are a bunch of security suites out there that will cover nearly all of your gadgets, whether they run Android, iOS, MacOS, or Windows.

As mentioned before, due to Apple security restrictions, AV software can’t scan iPhones for viruses, but it can do other helpful things like block malicious websites, calls, and texts. Need help finding some software? Check out our ratings of antivirus software.

Bree Fowler

Bree Fowler

I write about all things "cyber" and your right to privacy. Before joining Consumer Reports, I spent 16 years reporting for The Associated Press. What I enjoy: cooking and learning to code with my kids. I've lived in the Bronx for more than a decade, but as a proud Michigan native, I will always be a die-hard Detroit Tigers fan no matter how much my family and I get harassed at Yankee Stadium. Follow me on Twitter (@BreeJFowler).