A fast-moving spyware campaign has forced Apple, Google and the U.S. government into an unusually coordinated response, as federal officials warn organizations to either update Chrome and other Chromium-based browsers by January 2, 2026, or stop using them altogether. The directive follows the discovery of two zero‑day flaws in Apple’s WebKit engine that were actively exploited in “extremely sophisticated attacks against specific targeted individuals,” with infections reported in 80 countries.
Critical WebKit Flaws Expose All iOS Browsers
Apple and Google rushed out emergency fixes for two WebKit vulnerabilities, tracked as CVE‑2025‑43529 and CVE‑2025‑14174, after detecting live exploitation. CVE‑2025‑43529 allows arbitrary code execution when a user encounters malicious web content, while CVE‑2025‑14174 is a memory corruption bug in WebKit’s ANGLE component that can be used to escape the browser sandbox and escalate privileges.
Because WebKit underpins Safari, Apple Mail, the App Store and every third‑party browser on iOS and iPadOS, the flaws effectively exposed every browser on iPhones and iPads, including Chrome, Firefox, Edge, Brave and Opera. Google separately addressed CVE‑2025‑14174 in Chrome 131.0.6778.264 on December 10, 2025, a release that also cascades to Chromium‑based browsers such as Microsoft Edge, Opera, Brave and Vivaldi.
Google’s Threat Analysis Group, which tracks government‑backed hackers and commercial surveillance vendors, worked with Apple’s security engineers to identify and analyze the bugs while they were being used in active attacks.
Apple’s Ecosystem‑Wide Emergency Patching
Apple’s patches span almost every modern device in its lineup. The company says iPhone 11 and later models require iOS 26.2 or compatible security updates. On tablets, iPad Pro (3rd generation and later), iPad (11th generation and later), iPad Air (3rd generation and later) and iPad mini (5th generation and later) need iPadOS 18.7.3 or equivalent.
Mac systems must be updated to macOS Tahoe 26.2, or to supported versions such as macOS 13.2, 12.6 or 11.6 that include the fixes. Apple has also released patches for Apple Watch, Apple TV, Vision Pro and Safari, closing the same underlying browser‑engine holes across its ecosystem.
Users are urged to navigate to Settings > General > Software Update on iPhones and iPads, and to install the latest available macOS release on Mac computers. On the Google side, Chrome users can go to Settings > About Chrome to confirm they are running version 131.0.6778.264 or later and to enable automatic updates.
Predator Spyware, “Aladdin” Ads and Zero‑Click Infections
Technical and intelligence indicators point to Predator spyware, developed by the Intellexa consortium, as the toolset used to weaponize the WebKit flaws. Google Threat Intelligence has reported that Intellexa continues “evading restrictions and thriving” despite U.S. sanctions, in part through restructuring and jurisdictional changes that allow it to keep serving clients worldwide.
According to Google’s reporting, Intellexa created “Aladdin,” a zero‑click infection method that abuses online advertising. In this model, malicious ads are inserted into advertising streams on legitimate, trusted sites and applications. They appear indistinguishable from standard promotional material, but viewing a booby‑trapped ad is enough to trigger the exploit chain—no taps, clicks or downloads are required from the target.
On December 2, 2025, Apple and Google sent warning notices to several hundred accounts across 80 countries, informing recipients that they had been targeted with zero‑click Predator spyware. The notifications made clear that these were not broad, indiscriminate campaigns but tightly focused operations against selected individuals.
Rising Tide of Zero‑Days and Government Intervention
The latest patches add to a mounting list of exploited flaws in 2025. With these WebKit issues, Apple has now confronted nine zero‑day vulnerabilities that were abused in the wild this year, while Google has addressed eight zero‑day flaws in Chrome over the same period. Security specialists have described the recent surge, and in particular the December activity, as a critical phase marked by a concentration of attacks on browser engines.
Researchers say this reflects a shift in the economics of vulnerability discovery and exploitation. As operating systems and apps adopt stronger built‑in protections, attackers are focusing time and money on complex bugs in foundational components such as WebKit and Chromium. Browser engines are attractive because compromising them can yield deep access to devices that are otherwise tightly locked down.
James Maude of BeyondTrust warned that limited, highly targeted exploits are likely to become broadly adopted tools once details are reverse engineered from public patches, accelerating their spread among different attacker groups. Darren Guccione of Keeper Security emphasized that there is effectively no behavioral workaround for this class of flaw and that installing updates is the only reliable defense.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2025‑14174 to its Known Exploited Vulnerabilities catalog on December 12, 2025. That move activated Binding Operational Directive 22‑01, which compels U.S. federal civilian agencies to update Chrome and other Chromium‑based browsers by January 2, 2026, or stop using them. CISA described the situation as an “update or disconnect” scenario and strongly urged all organizations, not just government entities, to prioritize remediation.
Reinforcing Defenses and Rethinking Mobile Security
For individuals and institutions, security professionals describe three immediate priorities: install all available Apple and Google patches, ensure Chromium‑based browsers are updated, and adopt layered safeguards where possible.
Apple’s optional Lockdown Mode is highlighted as a particularly important protection for people at elevated risk, such as journalists, activists and senior executives. The feature restricts a range of potentially dangerous capabilities by default, including certain message previews, complex web technologies, many types of attachments and unexpected FaceTime calls. By disabling JavaScript just‑in‑time compilation and other advanced features, Lockdown Mode is estimated by researchers to block the vast majority of known mercenary spyware techniques, including many zero‑click pathways.
Additional measures recommended by experts include switching on iCloud Private Relay to conceal IP addresses and encrypt DNS queries, using private browsing with JavaScript disabled on untrusted sites, avoiding unsolicited links or attachments, and turning off Wi‑Fi and Bluetooth when not needed. Regular device reboots can disrupt some persistence methods, and reputable virtual private network services are advised on untrusted networks. Organizations are encouraged to deploy DNS filtering, intrusion detection and endpoint security tools, and to integrate CISA’s Known Exploited Vulnerabilities catalog into their threat intelligence processes.
Beyond immediate countermeasures, the Predator campaign underscores deeper architectural questions about mobile and browser security. The near‑universal reliance on WebKit for iOS browsers and on Chromium for many desktop and Android browsers creates powerful single points of failure. Some researchers argue that greater diversity in browser engines could reduce systemic risk, while others caution that fragmentation might hinder consistent security hardening.
At the same time, the commercial surveillance marketplace continues to reward vendors capable of delivering reliable zero‑click exploits. Companies like Intellexa compete on the ability to compromise devices silently through routine activities such as loading a web page or viewing an advertisement, and sanctions to date have not eliminated demand. Security analysts expect further investment in such techniques, and anticipate that organizations will need to broaden their security awareness programs beyond phishing to include zero‑click threats.
For now, specialists say the most effective response is rapid patching, especially in the critical days after a fix is released, combined with stricter protective modes for those most likely to be targeted. How quickly institutions and individuals act on these latest warnings will influence not only the impact of the current campaign, but also how aggressively spyware vendors invest in the next generation of browser‑based attacks.
Sources:
“Apple Pushes an Emergency Update as Zero-Click Spyware Spreads.” MSN, December 2025.
“Apple, Google Forced to Issue Emergency 0-Day Patches.” The Register, December 15, 2025.
“Dangerous December—Why You Must Update Your Android and iPhone Users.” Forbes, December 13, 2025.
“Apple Issues Security Updates After Two WebKit Flaws Exploited in Targeted Attacks.” The Hacker News, December 12, 2025.
“Google and Apple Roll Out Emergency Security Updates After Zero-Day Attacks.” TechCrunch, December 12, 2025.
“Apple and Google are Warning Users About New Predator Spyware.” Moonlock, December 11, 2025.