Zero-Click Spyware: Turn On These Free Phone Security Modes
Apple, Google, and Meta ship free security modes that stop zero-click spyware cold. Here's what each does, what you give up, and how to switch it on in under two minutes.
Protecting your phone from spyware no longer requires clicking on anything — the exploit can fire before you even see the message. A TechCrunch report published May 23, 2026 covers how zero-click exploits from Paragon Solutions infected phones belonging to journalists and civil society members with no interaction required from the victim.
Apple, Google, and Meta each ship free security modes built to block exactly this class of attack. Almost nobody has them switched on.
🔍 What a Zero-Click Attack Actually Means
A traditional phishing attack needs your cooperation: open a file, follow a link, enter a password. A zero-click attack exploits a bug in how an app processes incoming data — a message preview, an image render, a file header — before you ever interact with it. You receive a WhatsApp message, your phone's parser processes it, the exploit fires silently. You see nothing unusual.
This matters because "don't open files from strangers" is not a defense against this. The vulnerable code runs automatically, at the OS or app level, regardless of what you do.
Key takeaway: Zero-click attacks don't require a mistake on your part. The defense has to be built into the platform — and the platforms have now built it in. You just have to turn it on.
The scale of the problem is real: in early 2025, ~90 journalists and civil society members were notified by WhatsApp that Paragon Solutions had targeted their devices. In March 2025, Apple confirmed that two journalists had been hit by Paragon's Graphite spyware via zero-click exploits. In 2019, NSO Group's campaign targeted approximately 1,200 WhatsApp users using similar techniques.
🔒 Apple's Lockdown Mode
Lockdown Mode is Apple's maximum-security setting. It deliberately restricts features that are common attack surfaces:
| Restricted feature | Why it matters |
|---|---|
| Message attachments (non-image) | Blocks exploit payloads delivered via Messages |
| Link previews in Messages | Removes remote-content fetching that has been weaponized |
| Incoming FaceTime calls from unknowns | Stops call-based zero-click attacks |
| USB/accessory connections when locked | Blocks forensic tools and hardware exploits |
| Safari JavaScript JIT | Reduces browser memory-corruption attack surface |
| Certain Wi-Fi and cellular features | Closes historically exploited connectivity paths |
Apple stated as of March 2026 that it has "never detected a successful attack on an Apple device with Lockdown Mode enabled." Citizen Lab independently verified that Lockdown Mode stopped at least one NSO Group Pegasus attack that would otherwise have succeeded.
Trade-offs: Some web pages render slower. Shared albums in Photos don't work. Certain apps behave differently. Most users won't notice the difference in daily work, but test it for a day before making it permanent.
How to enable it:
- Settings → Privacy & Security → Lockdown Mode
- Tap "Turn On Lockdown Mode"
- The device restarts to apply the changes
Who this is for: Journalists, lawyers, NGO workers, researchers, activists — anyone whose phone is a realistic target for commercial or state-sponsored spyware. If that's you, the trade-offs are worth it.
📱 Google's Two-Layer Protection
Google separates its defenses into two programs operating at different levels. You can enable both independently, and they complement each other.
Advanced Protection Program (account-level)
Launched in 2017, this locks down your Google account rather than your device. It restricts what can access your data and makes account takeovers significantly harder.
| Feature | What it does |
|---|---|
| Third-party app access | Blocked; only Google's apps can access Drive, Gmail, and Docs |
| Deep Gmail Scans | Additional phishing-detection passes on incoming mail |
| Account recovery | Hardened against social-engineering attacks on support |
Setup requirement: You must enroll with a physical FIDO2 security key or a software passkey. Every login attempt from an unrecognized device will require the key. Enrollment is at myaccount.google.com/advanced-protection.
Android's Advanced Protection Mode (device-level)
Introduced in 2025, this is Android's answer to Apple's Lockdown Mode:
- Google Play Protect malware scanning is enforced and cannot be turned off
- Sideloading (apps from unknown sources) is blocked
- USB connections are blocked while the device is locked
- 2G network connections are blocked — 2G is vulnerable to IMSI-catcher interception
- The device auto-reboots after 72 hours of being locked, clearing any malware that lives only in memory
How to enable it:
- Settings → Security & Privacy → Advanced Protection
- Follow the on-screen enrollment steps
Note for Sri Lankan Android users: Many budget handsets sold here run Android Go or heavily customized OEM firmware. Verify your Android version before treating this mode as a complete solution — older or lightly maintained builds may not implement all restrictions fully.
💬 WhatsApp's Strict Account Settings
Meta added Strict Account Settings to WhatsApp in 2026, directly in response to the Paragon campaign that targeted ~90 users in early 2025. It's the most accessible option here: no hardware required, works on any phone running a recent version of WhatsApp.
| Setting | Effect |
|---|---|
| Two-step verification | Enforced automatically on enrollment |
| Attachments from unknown senders | Blocked before they reach your device |
| Profile photo and info | Hidden from anyone not in your contacts |
| IP address in calls | Masked — calls route through WhatsApp's servers |
The IP-masking is worth calling out separately. Standard WhatsApp calls can expose your real IP address to the person on the other end. Enabling strict mode routes calls through Meta's infrastructure so the caller cannot trivially determine your network location.
How to enable it:
- WhatsApp → Settings → Privacy → Advanced
- Enable "Strict Account Mode"
💡 What This Means for You
For most people — developers, students, freelancers — these attacks are not your current threat model. Paragon Solutions and NSO Group charge per-target fees that put them out of reach for casual criminals. The realistic attacker against a typical person is not running zero-click exploits.
But certain situations shift the calculus:
- You work for an international NGO, media organization, or law firm handling sensitive cases
- You travel frequently and connect to untrusted public networks
- Your phone is the sole authenticator for business-critical accounts
- You cover politically sensitive topics as a journalist or researcher in Sri Lanka or anywhere else
In those cases, the cost of enabling these modes is genuinely low: a slightly slower mobile browser, two minutes of setup. The protection is asymmetric — you lose almost nothing and add a layer that has demonstrably stopped state-level attacks that got past everything else.
Security researcher Runa Sandvik put it plainly: these features are "free, easy to enable, and the best defense we have today against sophisticated spyware."
Run through the checklist once per device. None of this requires ongoing maintenance after the initial setup.