December 22, 2025 Apple is requiring iPhone users who have not upgraded to iOS 26 to update now after confirming that active spyware attacks are again targeting iPhones. Critical security fixes that many expected to be delivered in a final iOS 18 update are instead being restricted to older devices only, leaving newer iPhones protected exclusively through iOS 26.

Many users expected iOS 26.2 to be a standard feature update and iOS 18.7.3 to remain available as a security path for users that choose to stay on iOS 18. Early signals supported that view. The 18.7.3 beta was available broadly, and its fixes were initially flagged as applying across supported devices. Instead, Apple’s latest documentation now lists those patches as “available for iPhone XS, iPhone XS Max, iPhone XR,” leaving iPhone 11 and newer devices with iOS 26 as the single path to those fixes.

iPhones are again being targeted with mercenary surveillance tools aimed at specific users but capable of much wider spread over time. The new patches are described as critical, closing vulnerabilities that could allow attackers to compromise devices without user interaction.

That makes Apple’s timing notable. iOS 18.7.3 is already coded to run on newer hardware and could have provided a bridge for cautious users. Instead, the company appears to be using a high-severity security event to consolidate its platform on iOS 26. Analysts estimate that at least half of eligible users have yet to move to iOS 26, with a smaller minority – perhaps around 10 per cent – still on older, ineligible iPhones.

The practical message for anyone with an iPhone 11 or newer is that delaying the upgrade now means running without the latest spyware protections. Mobile security firm Zimperium estimates that more than 50 per cent of mobile devices, across both iOS and Android, typically operate on outdated OS versions at any given time, leaving a large pool of users exposed when targeted campaigns appear.

Beyond the immediate spyware fixes, iOS 26 also brings several security and privacy changes that Apple is now effectively treating as the new baseline. Safari gains stronger default protection against cross-site tracking and fingerprinting, including campaigns linked to Google’s ad ecosystem. In addition, new defences are designed to reduce the risk from malicious wired connections, such as the types of attacks flagged in recent TSA guidance. The protections also include expanded anti-scam detection for phone calls and messages.

Apple is yet to clarify whether future security fixes will follow a similar pattern.