Blog

You are currently viewing Hundreds of Millions of iPhones Must Reboot Now — Are You Affected?

Hundreds of Millions of iPhones Must Reboot Now — Are You Affected?

Hundreds of Millions of iPhones Must Reboot Now — Are You Affected?

TL;DR: Apple has published security updates that fix actively exploited WebKit vulnerabilities. If your iPhone is not running one of the patched OS versions, Apple recommends updating to the patched release — or at minimum rebooting/shutting down your device immediately — because a reboot can break active spyware running in memory. This applies to a very large number of devices and slow adoption of the newest OS means hundreds of millions remain at risk. If you use an iPhone, follow the step-by-step checks below now.

![Featured image placeholder — insert featured image here]

What actually happened (short, technical summary)

Apple issued security fixes for vulnerabilities in WebKit — the underlying browser engine used by Safari and all browsers on iPhone. Two of those bugs were confirmed to have been used in real-world attacks. Apple bundled the fixes into the latest OS builds, and the company (plus security researchers and vendors) are now telling users to either install the update or reboot their device immediately because a reboot clears volatile spyware from memory and forces the device into a more secure state until it’s unlocked.

Why that matters: some spyware operates entirely in RAM and disappears after a restart; if an attacker has code running now, a shutdown/restart will terminate that process and block its persistence until a fresh exploit re-establishes it. Apple’s security release explains the vulnerable components and which OS builds include the fixes.

Who is affected (devices & scale)

  • Models: iPhone 11 and later (and many modern iPads and other Apple devices) are within the scope of the patched WebKit vulnerabilities. Check Apple’s security advisory for the full device list.
  • Scale: industry reporting indicates adoption of the patched OS is still low, meaning hundreds of millions of iPhones could be running vulnerable software and therefore are advised to reboot or upgrade. Security journalism and vendor analysis make that scale clear.

In plain terms: if you own a modern iPhone and you haven’t recently installed the latest iOS update (or at least performed a fresh reboot), you should act now.

Why a reboot helps (the technical logic)

  1. Memory-only spyware: Sophisticated spyware sometimes executes in RAM and avoids writing to storage. Rebooting clears RAM and stops those processes. If malware hasn’t achieved persistence (which is often the case in targeted WebKit exploits), a restart will remove the active implant.
  2. Before First Unlock (BFU) state: After a full restart, iPhones enter a more locked state until the user enters the passcode; some forensic or extraction methods are limited while the phone is in that mode. That extra hurdle protects data. This behavior is part of Apple’s security hardening.
  3. Patched code vs. in-memory exploit: Updating installs the patched code that stops the vulnerability from being re-exploited. Rebooting removes a current infection but doesn’t patch the vulnerability — both actions together (update + reboot) are ideal.

Immediate actions — step-by-step (do this now)

I’ll give clear, no-nonsense, model-specific steps. Do them exactly in this order.

1. Check your iPhone’s iOS version

Open Settings → General → About and look at Software Version (or go to Settings → General → Software Update). If your device shows the latest patched build listed on Apple’s security pages, update is installed. If not, proceed to step 2.

2. If you can update, update now (best option)

  • Connect to a trusted Wi-Fi network.
  • Go to Settings → General → Software Update → Download and Install.
  • After the patch installs, the phone will prompt for a restart; accept it. That both patches the vulnerability and restarts the device (ideal).

3. If you cannot update right away — reboot now (critical stopgap)

A plain shutdown + power up is frequently enough to terminate memory-resident spyware.

  • Shut down normally: press and hold either volume button + side/power button until the power-off slider appears, drag to power off, wait 30 seconds, then power on by holding the side button. (Works on most recent models.)
  • If the phone is unresponsive, force restart: follow Apple’s model-specific force-restart sequence:
    • iPhone with Face ID or iPhone 8 and later: quickly press and release Volume Up → quickly press and release Volume Down → press and hold Side button until Apple logo shows.
    • iPhone 7/7 Plus: hold Volume Down + Side button until Apple logo.
    • iPhone 6s and earlier: hold Home + Side (or Top) button until Apple logo.
  • After restart, do not enter sensitive sites until you can update; reboot gives temporary relief but not permanent protection.

4. Re-check the software version immediately after reboot

Go back to Settings → General → Software Update. If the patched build isn’t installed, schedule the update as soon as possible. If your device won’t update over the air, connect it to a trusted computer with Finder/iTunes and update from there.

5. If you suspect compromise, isolate the device

  • Turn off Wi-Fi and cellular (Airplane Mode).
  • Disable Bluetooth and any tethering.
  • Do not enter passwords on the device until you can confirm it is clean (credential-stealing malware may wait to capture master logins).
  • Consider backing up to iCloud or a trusted computer and then performing a factory reset if forensic signs persist.

How to tell if your iPhone might already be infected (signs to watch for)

  • Excessive battery drain or unexplained CPU usage.
  • Strange outgoing network connections when you aren’t using apps (hard to see without tools, but enterprises log this).
  • New apps you don’t recognize (rare on iOS but sideloading or configuration profiles can change behavior).
  • Strange SMS/email behavior (outgoing messages, verification code requests you didn’t initiate).
  • “Weird” browser behavior or persistent pop-ups even after clearing Safari.

If you see multiple indicators, treat the device as compromised and follow the “if compromised” steps below. Malwarebytes and other vendors emphasize that many targeted attacks are silent, so absence of obvious signs is not proof of safety.

If you’re compromised or still worried — escalation checklist

  1. Backup important data to a trusted computer (encrypted backup) or iCloud.
  2. Factory reset: Settings → General → Transfer or Reset iPhone → Erase All Content and Settings. This wipes persistent modifications. After reset, restore only from a backup made before you think the infection occurred — and be cautious: some back-ups can preserve infection artifacts.
  3. Change critical passwords (Apple ID, email, banking) from a known-clean device. Use a password manager and enable two-factor authentication.
  4. Re-enroll in MDM/vetted enterprise tools if the phone is managed by work; coordinate with your security team.
  5. Report to your national cybersecurity authority or vendor if you suspect targeted intrusion (for high-risk users: journalists, activists, executives). Several governments provide reporting channels; in some regions CISA-style advisories exist for coordination.

Enterprise & IT guidance (what teams should do now)

  • Force update windows: For managed fleets, push the patched OS via MDM and require installation. Enforce restart where possible.
  • Monitor network telemetry: Look for unusual outbound connections from iOS devices to suspicious IPs. Block known bad domains at the gateway and review egress logs.
  • Credential resets & access gating: For high-value user accounts, force password resets and reissue tokens. Consider adding additional MFA barriers temporarily.
  • Risk communications: Tell employees to reboot immediately and confirm checks — simple, fast, and effective. Security teams should cite vendor advisories and inform leadership of remediation timelines.

Why many users are still at risk — adoption & human behavior

Security vendors and journalists note that adoption of major new iOS releases is unusually slow for this update cycle. That means a large share of devices remain on older builds that are still vulnerable. Reasons include:

  • Users delaying upgrades because of feature changes or battery concerns.
  • Enterprises delaying OS rollouts for compatibility testing.
  • Confusion over whether the update applies to older models.

The net result: the slow move to patched builds increases the pool of vulnerable devices and raises the odds of attackers reusing exploit tooling on a wider scale. That’s why a simple reboot is being pushed as an emergency mitigation in addition to the update.

Mini-case study: why “targeted” exploits go mass-scale

History shows that exploits first used against a small number of high-value targets often leak or are adapted for larger campaigns. The Pegasus story and other incidents demonstrate how tools can migrate from targeted espionage to broader criminal use once details leak. That makes prompt patching essential — what looks like “I’m not a target” is a fragile assumption. If you rely on that assumption, you’re not implementing basic risk management.

Tools & resources (trusted links and what to read next)

Below are practical, authoritative resources you should use right away. These are safe, reputable pages with instructions or advisories:

  • Apple — security advisory and the official patch notes for the patched builds (how to check and update).
  • Forbes — clear consumer guidance on which users are affected and practical steps to reboot and update.
  • Malwarebytes — vendor analysis explaining why rebooting helps and adoption concerns.
  • TechRadar / Bleeping Computer — technical summaries of the WebKit zero-days and how they were exploited.
  • CISA / national cyber authorities — for enterprise reporting and further mitigation guidance. (Check your country’s cybersecurity authority for local reporting links.)

(Use these links as bookmarks and forward them to anyone in your organization who needs simple, authoritative instructions.)

Common questions — quick answers

Q: I rebooted — am I safe?
A: Rebooting removes in-memory implants, so you’ve likely removed any active in-RAM spyware. But rebooting doesn’t patch the vulnerability. Update as soon as you can.

Q: Is this the same as a software update?
A: No. Update installs patched code. Reboot only clears running processes. Both together are best.

Q: I’m on an older model iPhone — does this affect me?
A: Apple’s advisory lists supported devices. Some older models may not be in the “must update to the newest major OS” group, but Apple backported fixes to some older builds. Check Apple’s security page for exact eligibility.

Q: Should I enable Lockdown Mode?
A: For higher-risk users, yes. Lockdown Mode reduces attack surface and is recommended by security authorities for people at elevated risk (and now recommended more broadly by some vendors).

Hard advice (no sugarcoating)

  • If you delay the update because you “don’t feel like it” or because you’re worried about new features, you are gambling with your device and potentially the credentials and data tied to it. Rebooting is a temporary band-aid; installing the patch is non-negotiable.
  • If you’re an organization and don’t require an emergency update strategy for mobile fleets, you are failing at basic risk management. Push updates, require restarts, and measure compliance.

What to do if you need help (victims, journalists, NGOs)

If you believe you were specifically targeted (you are a journalist, activist, campaigner, or high-profile person):

  1. Contact your organization’s security team or a trusted mobile forensics firm.
  2. Report the incident to your national cybersecurity authority and preserve any logs/backups.
  3. Don’t attempt to “fix it” by tinkering; rely on trained responders. Vendors and governments often publish guidance for high-risk individuals.

Final checklist — copy this and use it now

  • [ ] Check Settings → General → Software Update. If an update is available, install it.
  • [ ] If you can’t install now, shut down and restart your iPhone immediately (force-restart if frozen).
  • [ ] Disable Wi-Fi/cellular if you suspect compromise.
  • [ ] Back up important data, then consider a factory reset if suspicious behavior continues.
  • [ ] Change important passwords from a trusted device and enable MFA.

Sources & backlinks (authoritative reading list)

  • Apple — About the security content of iOS 26.2 and iPadOS 26.2 (official advisory).
  • Forbes — consumer guide and analysis: Most Apple iPhones Must Reboot Now — Are You Affected? by Zak Doffman.
  • Malwarebytes Labs — vendor analysis: Why iPhone users should update and restart their devices now.
  • TechRadar / BleepingComputer — technical coverage of WebKit zero-days and patches.
  • CISA — Apple security updates and guidance for enterprises (see advisories and mitigation guides).

Closing — concrete, non-negotiable takeaway

Stop reading and check your phone. If your iPhone isn’t on the patched build, update it now. If you can’t update for any reason, restart it now. Reboots are a short-term lifesaver; updates are permanent fixes. Don’t assume “I’m not a target” — attackers reuse successful tooling. This is basic digital hygiene: patch, reboot, verify. If you’re responsible for others (family, employees), get them to do it too. Your wallet, emails, and identity depend on it.