According to TechCrunch, both Google and Apple rolled out emergency security updates this week after discovering a hacking campaign exploiting previously unknown flaws. On Wednesday, December 10, Google patched several bugs in Chrome, noting one was already being actively exploited. By Friday, Google updated its advisory to reveal the bug was found by Apple’s security team and Google’s own Threat Analysis Group, which tracks government hackers. Simultaneously, Apple released patches for iPhones, iPads, Macs, Vision Pro, Apple TV, Watches, and Safari, fixing two bugs it said were used in an “extremely sophisticated attack” on specific individuals prior to iOS 26. The companies used language that strongly suggests government-backed mercenary spyware, like that from NSO Group, was involved. Neither company provided further public comment on the incidents.
The Usual Suspects
Here’s the thing: when Apple says “extremely sophisticated attack against specific targeted individuals,” and Google‘s TAG team is involved, you can basically read between the lines. This isn’t some random credit card scam. That specific phrasing is Apple’s corporate-speak for “government-grade spyware was used to hack a journalist or activist.” The involvement of Google’s Threat Analysis Group is the biggest tell. They don’t get out of bed for everyday cybercrime. Their whole job is tracking state-sponsored hackers and the commercial spyware vendors, like NSO Group or Paragon Solutions, that sell to them. So this wasn’t a widespread campaign. It was a precision strike. The kind where the target’s phone is completely owned, their camera and mic turned on, and every message read. Scary stuff, but also very targeted.
The Silent Response
Now, the silence from both companies is pretty loud, isn’t it? Google initially gave no details at all, which is unusual. Apple’s security notes are deliberately vague. But that’s the dance. Naming a specific government or mercenary group is a diplomatic and legal minefield. So they patch the holes, warn users in the broadest possible terms, and move on. The unspoken message to users is clear, though: update your stuff. Right now. Because while you might not think you’re a target, these exploit chains can get repurposed or leak. What starts as a tool against a dissident can end up in the hands of a criminal group. That’s how these things always go.
A New Normal
So what does this mean going forward? I think it cements the trajectory we’ve been on for years. The commercial spyware industry is thriving, and its products are constantly finding new, unpatched flaws in our most trusted devices. Apple and Google are in a perpetual, high-stakes game of whack-a-mole. They build the walls, and these well-funded groups find a new crack. For the average person, the immediate takeaway is simple: enable automatic updates. Seriously. But on a broader level, it’s a grim reminder that our personal devices are now the primary battlefield for global digital espionage. The updates will keep coming. And, unfortunately, so will the attacks.
