iPhone malware in 2026: how to detect it, how to remove it, and how to keep it off your device

Despite Apple’s best efforts, malware occasionally sneaks through onto the App Store. Phishing represents a persistent threat, as does the risk of users encountering malicious content while browsing. There’s also a growing threat from zero-day (serious unknown security flaw) exploits; many of which are discovered and weaponized by commercial spyware developers and require neither clicks, nor any user interaction.

In this context, it makes sense not only to take proactive measures to keep your devices safer, but also to better understand what the warning signs of malware infestations are, and how to take rapid action in the event of a worst-case scenario. This guide covers all three: how to tell whether your iPhone has actually been compromised, how to remove what's there, and how to harden the device against the 2026 threat landscape – including the most serious iOS zero-day discovered in nearly two decades, just patched in February 2026.

Can iPhones get malware?

The short answer is: yes, but rarely the way people imagine. Traditional viruses that self-replicate across the operating system are extraordinarily hard to deploy on iOS because of how Apple isolates apps from each other – a model called sandboxing. Every app runs in its own walled space, with no easy way to read another app's data or modify the operating system.

That model is the reason iPhones are among the most secure consumer devices on the planet. However, it doesn't make them invulnerable.

In 2026 the most probable threats to an iPhone are:

• Phishing – fake login pages, malicious links in messages, and social-engineering scams that work on any mobile platform – iOS or Android.
• Scareware pop-ups – fake "your iPhone is infected" alerts that try to push you toward a sketchy "scanner" download or a paid subscription. Usually not actual malware; almost always the gateway to losing money.
• Malicious configuration profiles – small files that, once approved, give an attacker the ability to install root certificates, redirect traffic, or impose policies on your device
• Banking trojans delivered through Progressive Web Apps (PWAs) and WebAPKs – these web applications mimic legitimate banking interfaces and capture credentials without ever going through the App Store
• Mercenary spyware – commercial-grade implants like NSO Group's Pegasus or Intellexa's Predator, used against journalists, activists and political figures
• Pre-installed malware on grey-market or super-cheap handsets – rare on iPhone but possible on counterfeit units

And then there's the rarest but most newsworthy category: zero-day exploits. In February 2026, Apple patched CVE-2026-20700 – a vulnerability that had been present in iOS since the original iPhone launched nearly two decades ago. Google's Threat Analysis Group disclosed it after finding evidence of in-the-wild exploitation in commercial spyware chains. Apple's own iOS 26.2 emergency update in January 2026 closed two WebKit zero-days similarly linked to Pegasus, with Apple advising its 1.8 billion users to update immediately.

Most iPhone users won't ever face any of these directly (mercenary spyware is very expensive). But they're not theoretical, and they're the reason the mantra "iPhones can't get malware" is no longer accurate.

Signs your iPhone may have malware

Common signs that your iPhone might be infested include:

Increased Data Usage: Unexpected spikes in data consumption might indicate malware running in the background. Check for it here.

Battery Drain: If your battery seems to be running out of charge faster than normal, it may be a sign of malicious processes running without your knowledge. Here’s how to check.

Overheating: Devices do get warm through continuous use, especially in the hotter months, but if one becomes unusually hot, it could be due to unnoticed malicious activity on the device.

App Crashes: Your iPhone should offer a pretty stable, optimized user experience. So frequent application crashes or unresponsiveness won’t happen unless something is wrong.

Pop-up Ads: Unwanted pop-up ads are annoying at best, and at worst could be malicious if clicked on. If your device is suffering, it may have been infested with adware. Note: a pop-up that says "your iPhone has 17 viruses, click here" is almost certainly scareware, not malware – see the next section.

Unexplained Changes: Are there any new apps that you don’t remember installing on your device? Maybe the settings have been changed in some way. Or there’s a new screensaver. All of these happenings should be red flags that malware has made unauthorized changes to your device.

An Eye-watering Phone Bill: Some malware makes money for its developers by using premium rate services in the background. The first you might learn of such activity is when you get your monthly phone bill.

You’re Spamming Your Contacts: Some malware hijacks your accounts to send malicious or unwanted messages to your email/address book/social media contacts and friends. If they started complaining en masse, it could be worth investigating the cause.

Unknown configuration profiles: Go to Settings → General → VPN & Device Management. On a personal device this list should be empty or contain only profiles you knowingly approved (employer MDM, a VPN provider). Anything else is a red flag – see the next section.

How to check your iPhone for malware (the real way, in Settings)

There's something every legitimate guide on this topic has to admit upfront: there is no full system scan on iOS, and no third-party app can perform one. Apple's sandboxing model means no app gets to inspect what any other app is doing. The "iPhone antivirus" apps on the App Store can do many useful things – block phishing links in your browser, flag unsafe Wi-Fi networks, scan messages for malicious URLs – but they cannot scan the operating system itself.

What you can do is check the parts of iOS that attackers actually use. Check for unusual battery drain, overheating, unfamiliar apps, surprise data spikes, pop-up ads outside Safari, and any configuration profiles you didn't install (Settings → General → VPN & Device Management).

Check installed configuration profiles:

Go to Settings → General → VPN & Device Management. On a personal device, this list should be empty or contain only profiles you knowingly approved – your employer's MDM, a VPN provider, a school. Anything else, tap it, then tap Remove Profile.

Check for unfamiliar apps:

Swipe past your last home screen page to open the App Library. Scroll through every app installed. Long-press anything you don't remember installing – and delete it. Pay particular attention to apps with names that try to look generic ("Cleaner", "VPN", "Battery Saver") or that you can't recall ever opening.

Check Safari permissions and extensions:

Settings → Apps → Safari → Advanced → Website Data. Tap "Remove All Website Data" to clear cookies, cache and stored credentials. Then Settings → Apps → Safari → Extensions – review what's enabled and turn off anything you don't actively use.

Check Battery and Cellular Data for anomalies:

Settings → Battery - shows you a 24-hour and 10-day view of which apps used power, including a Background Activity indicator. Anything unfamiliar consuming a lot of energy in the background is worth investigating. Settings → Cellular gives you the same view for data.

Check Apple ID sessions:

Settings → tap your name at the top. Scroll to the bottom; you'll see every device signed in to your Apple ID. If there's a device you don't own, tap it and remove it, then change your Apple ID password and review two-factor authentication.

How to remove malware from your iPhone

Cybercriminals, abusive partners and even government spies may target your device(s) for eavesdropping, data theft and more. If the worst happens and you find malware on your iPhone, follow these steps to contain and mitigate the threat as rapidly as possible:

1. Restart Your iPhone: Hold the power button down and turn the device off. Wait a few seconds and turn it back on. Sometimes a simple reboot can resolve minor issues and halt any malicious processes that may be running.

2. Update iOS: Always ensure your device is running the latest iOS version, as that means it is also on the most secure version. At the time of writing (this blog), that means iOS 26.3 or later – the version that patched CVE-2026-20700 and the WebKit chain associated with commercial spyware.

3. Clear Browser Data: Malware can sometimes live in your browser's cache. To clear it:

• Go to Settings > Safari
• Tap Clear History and Website Data
• Confirm the action

This may have the extra benefit of ensuring you don’t revisit malicious websites via your browser history.

4. Delete Suspicious Apps: Malware sometimes lurks inside legitimate-looking applications. Although it rarely makes it past Apple’s strict App Store vetting process, malicious apps may be more common on third-party stores. Uninstall any unfamiliar or recently installed apps that may have coincided with the onset of issues. Additionally, remove suspicious configuration profiles at the same time: Settings → General → VPN & Device Management → tap any profile you didn't install → Remove Profile.

5. Restore from a Clean Backup: Persistent malware will survive a simple reboot. In this case, restore your iPhone to a previous backup made before the issue began.

• Select General then Transfer or Reset iPhone
• Choose Erase All Content and Settings
• Select Restore from iCloud Backup

6. Perform a Factory Reset: If the above doesn’t work, it’s time to take the nuclear option and reset your iPhone to factory settings. Note that this will erase all your data, contacts and personalized settings, so it should be a last resort:

• Go to Settings > General > Transfer or Reset iPhone
• Select Erase All Content and Settings
• Follow the on-screen instructions to complete the reset

When none of the above works – the high-risk user playbook

If your symptoms persist after a factory reset and you have reason to suspect a targeted attack – you're a journalist, activist, lawyer or executive with specific concerns or known adversaries – see the high-risk user playbook later in this article. Mercenary spyware isn’t always removable with a standard reset, and recovery may require a different approach entirely.

How to keep malware off your iPhone in the first place?

When it comes to device security, prevention is usually better than the cure. So, whether you’re an individual user or an IT security manager, take these proactive steps to avoid malware infection:

• Avoid Jailbreaking: Jailbreaking, or modifying your phone may be tempting, especially if you want to personalize your experience. But it will worsen security by exposing your device to potentially dangerous applications outside of Apple’s “walled garden”. Jailbroken devices will not auto-update to the latest most secure version of iOS. Be advised the security trade-off is not proportional to the gains – you give up Apple's defenses in exchange for a customization gain most users never realize.
• Download apps from trusted sources only: Only install apps from the official App Store to reduce the risk of malware hiding in legitimate-looking software. If you're in the EU and using sideloaded apps via alternative marketplaces, vet the marketplace itself and the developer with the same scrutiny you'd give a financial product.
• Avoid unknown links and attachments: Don’t click on links in unsolicited emails/messages or download attachments. If you are still keen to do so, check with the sender first (but not by replying directly) that it is a legitimate message and not a phishing attack. 
• Strengthen authentication: Use multi-factor authentication (MFA), a Password Manager and use strong, unique passwords for all applications and websites to head off phishing risks. This will also improve user experience, as iPhones come with Face ID for seamless biometric authentication. Add passkeys where available – these are increasingly supported by major services in 2026 and more resistant to phishing than passwords or codes.
• Enhance user awareness: Update security awareness training for employees, using real-world simulations to keep them aware of the latest tricks. And ensure they know all the key iPhone attack vectors, e.g. mobile applications requesting additional permissions, email and SMS phishing URLs, and downloading APKs.
• Use a VPN on public Wi-Fi: Free Wi-Fi can imperil iPhone security and privacy. So, ensure all employees are prohibited by policy from using it, unless via a VPN
• Configure devices properly: Ensure device settings are optimized for privacy and security.
• Turn on stolen device protection: Settings → Face ID & Passcode → Stolen Device Protection. With this on, if your iPhone is in an unfamiliar location and someone tries to use a known passcode to change critical security settings – your Apple ID password, the Face ID enrolment, Find My – iOS will demand a biometric check first and impose a one-hour delay before the change takes effect. This is the single biggest defense against the "watch you type your passcode then steal the phone" attack.
• Turn on advanced data protection for iCloud: Settings → [your name] → iCloud → Advanced Data Protection. By default, Apple holds the encryption keys to most of your iCloud data, which means a compromise of Apple itself (or a court order) could expose it. Advanced Data Protection extends end-to-end encryption to iCloud backups, Notes, Photos and more. The trade-off: if you lose access to your devices and recovery contacts, you lose the data forever.
• Enable iMessage contact key verification: Settings → [your name] → Contact Key Verification. It lets you confirm -on a separate channel- if the person you're messaging is really who you think they are. Worth enabling for high-risk users; optional for everyone else.
• Leverage New Features: Apple is always adding new security features, so familiarize yourself with the latest capabilities. From the most recent announcements, consider:
  • Enabling iMessage Contact Key Verification for high-risk users
  • Opt-in to Advanced Data Protection
  • Using a third-party security key with the Security Keys for Apple ID feature
• Use Lockdown Mode: Considered “optional, extreme protection” by Apple, Lockdown Mode restricts functionalities that reduce the attack surface, especially those that could be exploited by spyware. The functions include, but are not limited to: attachment blocking, certain complex web technologies, restrictions on FaceTime, restrictions on photo sharing, device connections and profile configurations/mobile device management. Who should consider Lockdown Mode? Journalists, activists, lawyers handling sensitive cases, politically exposed persons and anyone who has previously been targeted. It's not a setting for everyone – you'll notice the broken functionality – but if your threat model warrants it, the trade-off is worth it.

Understanding iPhone malware scanning

When it comes to security software, it’s important to bear in mind that iPhones don't allow third-party apps to perform deep system scans. This is because of the sandboxing feature built into iOS, which securely isolates apps to protect system integrity. So, while security apps can help monitor data usage, detect malicious websites, and enable safe browsing, they cannot perform full malware scans on a device.

The 2026 iPhone threat landscape – what's actually happening

This is what's changed in the iOS security picture since the start of 2026.

CVE-2026-20700 – a decade-old iOS zero-day

In February 2026, Apple released iOS 26.3 to patch a vulnerability that had been with iOS since the original iPhone launched. Discovered by Google's Threat Analysis Group, CVE-2026-20700 was paired with a WebKit vulnerability in an exploit chain that resembled the work of commercial spyware vendors. Apple confirmed in-the-wild exploitation. The practical takeaway is the most boring possible advice: keep iOS on the latest version. Once a patch is out, the window for exploitation closes quickly – but it doesn't close at all if you stay on an older version. So, update!

The iOS 26.2 WebKit zero-days

A month earlier, in January 2026, Apple shipped an emergency update for two WebKit zero-days that had been linked to Pegasus deployments. The mechanism was familiar – a maliciously crafted webpage, viewed in Safari or via a previewed link, could be enough to compromise the device without further interaction. Apple notified its roughly 1.8 billion users to update immediately.

PWA and WebAPK abuse on iOS

ESET researchers have been tracking a category of attack that operates entirely outside the App Store. Here's the assessment from ESET Senior Malware Researcher Lukáš Štefanko:

"In 2024, we identified a novel attack vector that exploits Progressive Web Apps (PWAs) and WebAPKs to distribute malware on Android and iOS devices. Originally intended to let users install apps directly from websites via browsers, these technologies offer convenient home screen icons for web-based services. Unfortunately, attackers have leveraged them to create malicious apps that mimic legitimate banking interfaces, capturing login details, passwords, and two-factor authentication codes to gain unauthorized access to victims' accounts. Notably, PWAs and WebAPKs allow cybercriminals to operate outside official distribution channels including malicious ads, websites, phishing campaigns, social engineering, and compromised email attachments, thus bypassing Apple's traditionally stringent App Store policies. Although Apple continues to bolster its security frameworks, this evolving threat environment underscores the need for heightened vigilance and proactive defenses, including verifying an app's origin before installation."

These attacks matter because they bypass the strongest layer of iPhone defense – App Store review – without needing a jailbreak or a sideloaded app. The best defense is at the user layer: verify a banking app's origin before tapping "Add to Home Screen," and treat any banking interface that arrived through a link or browser as guilty until proven innocent. If your bank has an app, install it from the App Store and use that one. Do not add a banking interface to your home screen from a webpage you opened via SMS or messaging app.

Commercial mercenary spyware

Pegasus, Predator and their peers have continued operating throughout 2025 and 2026. They are not threats that the average user will ever face – the targeting is precise and the operational cost per target is enormous – but they shape the iOS threat landscape because they push Apple to harden defaults that benefit everyone. If you've received an Apple Threat Notification, take it seriously.

The high-risk user playbook

If you're a journalist, an activist, a lawyer handling sensitive cases, a politically exposed person, or a senior executive at a target organization, your threat model is different from the average user's. The same advice everyone else gets isn't enough.

Turn on Lockdown Mode

Apple's Lockdown Mode is an opt-in setting that drastically reduces the iPhone's attack surface – at the cost of breaking some everyday functionality. It blocks most message attachment types, restricts complex web technologies in Safari, blocks incoming FaceTime calls from unknown contacts, and prevents wired connections to a locked device. Enable it in Settings → Privacy & Security → Lockdown Mode. The trade-offs are real and you'll feel them – but if your threat model warrants it, you'll know.

Pay attention to Apple Threat Notifications

Apple sends a notification to users it believes have been targeted by state-sponsored attackers. If you ever receive one, take it seriously. Don't dismiss it as spam. Contact your organization’s security team or, if you don't have one, reach out to a digital rights non-profit organization like Access Now, which runs a free, vetted helpline for at-risk users.

Consider operational compartmentalization

For the most sensitive work, the right answer may be a dedicated, vetted device – separate from the iPhone you use for everything else. The fewer apps installed and the fewer links opened on that device, the smaller the attack surface. This is the standard playbook for working journalists in hostile environments and increasingly common practice among senior executives in target industries.

Don’t Take Apple Security for Granted

Although iPhones are still widely regarded as the most secure devices around, it’s important not to underestimate the determination of bad actors. Apple provides a great foundation for secure device use, but you should build on it with user vigilance, watertight policies and strong enforcement. For solo users this means keeping software updated, and being cautious about new apps, incoming messages and web content.

CHECK YOUR IOS PROTECTION

Frequently asked questions

Can my iPhone get a virus from clicking a link?

A classic virus that self-replicates in the operating system? Almost certainly not – iOS sandboxing makes that extraordinarily difficult. But clicking a link can still expose you to phishing pages that steal credentials, malicious profiles that change your device's behavior, or in very rare cases zero-day exploits that compromise the device without further interaction. The link itself isn't the problem; what happens after you tap is.

Does Apple scan for viruses?

Apple performs static and dynamic checks on apps submitted to the App Store, and iOS continually monitors for behavior that looks malicious. There is no on-demand "virus scan" you can run yourself – and no third-party app can scan the whole device, because iOS doesn't allow apps that level of access. That's a feature, not a limitation.

Is there a virus scanner for iPhone?

Not in the way Windows or Mac users understand the term. Apps marketed as "iPhone antivirus" can't perform full system scans because iOS sandboxing isolates every app from every other app. What they can do – and what genuine mobile security apps focus on – is block malicious links in browsers and messages, flag suspicious Wi-Fi networks, scan for unsafe configuration profiles, and warn you about data leaks. That's still useful; just don't expect a traditional scan.

Does a factory reset remove all malware from an iPhone?

For the vast majority of consumer iOS malware, yes. Factory reset wipes the operating system, your apps, and your data, so anything sitting in app data or in cached configuration is gone. There are theoretical exceptions for very advanced threats – specifically targeted firmware-level implants – but those are extraordinarily rare and not what consumer users face. After a reset, restore from a known-clean backup, not the most recent one if you suspect the problem started before then.

Are iPhones safer than Android phones?

For most users, yes – iPhones benefit from a single hardware vendor, a much narrower OS-version spread (most active iPhones are on the latest iOS within months of release), stricter App Store curation, and limited sideloading outside the EU. None of this makes iPhones invulnerable; phishing and social engineering work just as well on iOS as on any platform. But the structural advantages are real.

Should I install antivirus software on my iPhone?

"Antivirus" in the traditional sense isn't possible on iOS, and any app calling itself that on the App Store is using the term loosely. What's worth installing is a reputable mobile security app that focuses on what iOS does allow: anti-phishing in your browser, link scanning in your messages, and network safety. The right question isn't "do I need antivirus" – it's "what threats actually face my device, and what app addresses those."

Can my iPhone be hacked if I just visit a website?

In normal circumstances, no – Safari's WebKit engine runs websites inside a strict sandbox. But the unusual circumstance does exist: WebKit zero-day vulnerabilities, like the ones Apple patched in iOS 26.2 in January 2026, have been chained with other exploits by commercial spyware operators to compromise devices through a single visited link. For everyday users, the practical defense is keeping iOS current – once a patch is out, the exploit window closes.