You’ve probably seen it before—a bright, urgent message claiming you’ve qualified for a $750 or $1000 Walmart gift card. All you have to do is answer a few questions. It looks harmless enough. But once you click, you find yourself in a maze of surveys, redirects, and “partner offers”—without ever actually reaching the end and claiming your prize.

This so-called “survey” is part of a lead-generation and affiliate marketing scam, designed not to reward you but to harvest your data and push you through ad funnels that make money for others, at the cost of your privacy.

What’s really going on?

It’s a scam because these pages rarely deliver any real gift card. What they’re after is your personal data.

As you move through each step, you’re asked for details like your name, email, phone number, ZIP code and even your home address. In some cases, you’re prompted to share interests such as home repair, debt help, or insurance quotes—each answer helps categorize you for targeted marketing.

Even if the page itself doesn’t steal money, that information is still valuable. It can be used to target you with more ads and offers, add you to marketing lists, or personalize follow-up contact. In other words, completing the questionnaire hands over data that can be exploited for profit—even when no gift card ever appears.

In some cases, the funnel gets even more specific. For example, if the survey asks you about home projects and you say you’re planning to replace your windows, you might be redirected to what looks like a legitimate home improvement site—often just another form asking for the same details again. The whole thing is designed to keep you filling out more forms, giving up more of your data, to more websites and affiliates.

These scams don’t aren’t just annoying time-wasters. They are harvesting your data, eroding your privacy and exposing you to wider risks. Once your details are shared, they can travel far beyond that fake survey.

Your information may:

• Be resold to advertisers and data brokers, who build detailed profiles about your habits, spending, and location.
• Lead to a surge of spam calls, texts, and phishing emails tailored to your interests.
• Feed more convincing scams down the line, since criminals can now personalize their lures using real information about you.
• End up on unregulated marketing lists that circulate for years, keeping your data in play long after you’ve closed the page.

That’s the hidden cost of a “free” gift card: each click fuels a network that profits from your identity, not your participation.

Why do people fall for it?

The hook is simple—free money and easy participation. But this fake Walmart promotion taps into three powerful psychological triggers:

1. The sense of luck: “You’ve been selected!” sounds personal and special.
2. The promise of low effort: Answering a few questions feels harmless.
3. The illusion of credibility: Walmart’s branding lends legitimacy.

These scams spread mainly through advertising and malvertising networks—pop-ups, spam emails, social media ads, or sketchy website banners that imitate real promotions.

You might spot them alongside news articles or as “sponsored links” that sound too good to be true. Some appear via push notifications or redirects, whisking you from a real website to a fake reward page in seconds.

The designs often use official logos, countdown timers, and congratulatory language to make them look like authentic brand campaigns—tricking people into lowering their guard.

It’s an easy mental shortcut: “If this was fake, it wouldn’t look so professional.” That’s what these scammers count on—the appearance of legitimacy mixed with urgency and reward.

How to protect yourself

These gift card offers aren’t just harmless internet fluff—they’re the front door to a sprawling network of data collection and affiliate profiteering. Each click, form, and redirect is designed to extract value from your attention and information, not to reward you.

Recognizing these scams early is the best defense. Here’s how to stay safe:

1. Be suspicious of online surveys promising big rewards. Legitimate promotions from major retailers rarely require long questionnaires or partner offers.
2. Never give personal information to unknown pages. If a site asks for your phone number or address for a “free prize,” it’s a red flag.
3. Use browser protection tools. Extensions like Malwarebytes Browser Guard can block known scam domains and malvertising networks before they load.
4. Check the URL carefully. Real Walmart promotions will always come from official domains (like walmart.com or survey.walmart.com), not random URLs with extra words or numbers.
5. Stay alert and skeptical. Online quizzes and reward offers are a favorite bait for scammers. When in doubt – close the tab.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Last week on Malwarebytes Labs:

• Malwarebytes scores 100% in AV-Comparatives Stalkerware Test 2025
• Fake CAPTCHA sites now have tutorial videos to help victims install malware
• Hackers commit highway robbery, stealing cargo and goods
• Android malware steals your card details and PIN to make instant ATM withdrawals
• Take control of your privacy with updates on Malwarebytes for Windows
• Cyberattacks on UK water systems reveal rising risks to critical infrastructure
• Should you let Chrome store your driver’s license and passport?
• Apple patches 50 security flaws—update now
• “Sneaky” new Android malware takes over your phone, hiding in fake news and ID apps
• Sling TV turned privacy into a game you weren’t meant to win
• Attack of the clones: Fake ChatGPT apps are everywhere
• Would you sext ChatGPT? (Lock and Code S06E22)
• Malwarebytes aces PCMag Readers’ Choice Awards and AVLab Cybersecurity Foundation tests

On the ThreatDown blog:

• Inside EDR-Freeze: How ThreatDown stops the attack before it spreads

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The AV-Comparatives Stalkerware Test 2025 delivers a sobering look at the evolving threat posed by stalkerware on mobile devices. Despite measures from both the tech industry and platform providers, stalkerware-type apps, which are apps that can be installed covertly to spy on a victim’s private life, remain a critical concern.

This comprehensive assessment, developed in collaboration with Electronic Frontier Foundation (EFF), evaluated 13 leading Android security solutions against 17 diverse stalkerware-type apps. Key findings show that stalkerware persists even as providers and coalitions crack down: it’s sideloaded from developer websites, designed to evade detection, and frequently stores sensitive victim data on insecure servers, often exposing it to wider risks like public data leaks.

For this test, each security app was assessed for its ability to clearly detect and report stalkerware, not just using generic labels, but with explicit warnings tailored to support possible victims.

AV-Comparatives is an independent organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises.

Of the 13 security products tested in September 2025, only a few stood out for detection accuracy, clarity, and responsible alerting, with Malwarebytes the only one to score a 100% detection rate.

From the report:

The results show clear differences in performance between mobile security products. Malwarebytes stood out by detecting all stalkerware testcases, achieving a 100% detection rate. 

It went on to say:

Bitdefender, ESET, Kaspersky, and McAfee followed closely with 94% each, showing consistently high effectiveness. Avast, Avira, and F-Secure also performed well, identifying 88% of the test set, while Norton and Sophos achieved moderate coverage, detecting around 82%. At the lower end, G Data (65%), Google (53%), and Trend Micro (59%) missed a substantial portion of the stalkerware.

Why it matters to Malwarebytes

As one of the founding members of the Coalition Against Stalkerware, Malwarebytes sees this result as much more than a technical win. For us, the mission goes beyond simply blocking malicious software. Stalkerware-type apps are often used by abusers to systematically invade privacy and exert control. Their impact is highly personal, making reliable detection and safe reporting imperative.

Our participation in the coalition reflects a commitment to industry best practices: preventing stalkerware-type apps from being quietly installed, giving users detailed and honest threat information, and ensuring that every detection alert is crafted with survivor safety in mind. Scoring 100% in this test validates years of advocacy and development focused on the real-world needs of victims and their supporters, which goes beyond focusing on theoretical malware samples.

Ultimately, consistent leadership in stalkerware detection means standing alongside partners and survivor organizations to raise public awareness, drive safer technology, and provide every user with a clear path to reclaim their privacy. For Malwarebytes, achieving a perfect score isn’t just a mark of product quality; it’s proof of our commitment to your privacy and security.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Early on in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions for website visitors that would effectively infect their own machines with an information stealer known as the Lumma Stealer.

ClickFix is the name researchers have since given to this type of campaign—one that uses the clipboard and fake CAPTCHA sites to trick users into running malicious commands themselves.

Later, we found that the cybercriminals behind it seemed to be running some A/B tests to figure out which infection method worked best: ClickFix, or the more traditional file download that disguises malware as a useful application.

The criminals probably decided to go with ClickFix, because they soon came up with a campaign that targeted Mac users to spread the infamous Atomic Stealer.

Now, as reported by researchers from Push Security, the attackers behind ClickFix have tried to make the campaign more “user-friendly.”  The latest fake CAPTCHA pages include embedded video tutorials showing exactly how to run the malicious code.

The site automatically detects the visitor’s operating system and provides matching instructions, copying the right code for that OS straight to the clipboard—making typos less likely and infection more certain.

A countdown timer adds urgency, pressuring users to complete the “challenge” within a minute. When people rush instead of thinking things through, social engineering wins.

Unsurprisingly, most of these pages spread through SEO-poisoned Google search results, although they also circulate via email, social media, and in-app ads too.

How to stay safe

With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.

• Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
• Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
• Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
• Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

There’s a modern-day train heist happening across America, and this time, some of the bandana-masked robbers are sitting behind screens.

According to new research, a group of cybercriminals has been attacking trucking, freight, and logistics companies for months, impersonating brands and even diverting real cargo shipments to unapproved locations so that the stolen goods can be sold or shipped elsewhere.

The impact, the researchers said, extends far beyond the logistics industry:

“Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics. The most targeted commodities are food and beverage products.”

Although the cyberattacks were mostly seen in North America, cargo theft is a problem across the world, impacting consumers and businesses that rely on the often-overlooked network of trucks, trains, ships, planes, and people.

In these attacks, cybercriminals compromise the accounts of carrier companies that transport goods from one location to the next. By posing as legitimate carriers, they can place real bids on shipments and then redirect them to unauthorized destinations, where they or their partners will receive and steal the cargo.

Researchers found that attackers take control of these accounts in at least one of three ways.

1. Fake load boards

Attackers may post a fake order on what’s called a “load board,” a digital marketplace that connects shippers with carriers so that cargo can be assigned and accepted. But when legitimate carriers inquire about the fake load board posting, the criminals reply with an email that includes a malicious link that, when clicked, installs Remote Monitoring and Management (RMM) software. (To make the scam more convincing, the cybercriminals also compromise a “broker” account so their load board posting looks legitimate.)

Despite the sneaky install method, RMM software itself is entirely legitimate. It’s used by IT support teams to remotely fix issues for employees. But that legitimacy makes RMM software perfect for any cybercriminal campaign because it may raise fewer red flags from older antivirus tools.

Once the attackers gain access to a carrier’s account, they can also deploy malware to steal account credentials, giving them greater access to a company’s network.

2. Compromised email accounts

A second observed attack method involved hijacking an active email address and then impersonating the owner when responding to emails about cargo orders and shipments. Here, too, cybercriminals inserted malicious links into emails that eventually install RMM tools.

3. Social engineering

Finally, researchers also observed the attackers sending direct phishing emails to carriers, using classic social engineering tricks—like sending a bogus bill to lure victims into clicking malicious links.

While many of the well-tested security best practices still apply—like not clicking on links inside emails—one of the strongest defenses is to use a security product that notifies users about RMM tools (also sometimes referred to as Remote Desktop Programs) installed on their device. RMM tools are legitimate, but because of their abuses in cybercriminal campaigns, it is important that every installation is verified and tracked.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Polish Computer Emergency Response Team (CERT Polska) analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain victims’ bank accounts.

Researchers found that the malware, called NGate, lets attackers withdraw cash from ATMs (Automated Teller Machines, or cash machines) using banking data exfiltrated from victims’ phones—without ever physically stealing the cards.

NFC is a wireless technology that allows devices such as smartphones, payment cards, and terminals to communicate when they’re very close together. So, instead of stealing your bank card, the attackers capture NFC (Near Field Communication) activity on a mobile phone infected with the NGate malware and forward that transaction data to devices at ATMs. In NGate’s case the stolen data is sent over the network to the attackers’ servers rather than being relayed purely by radio.

NFC comes in a few “flavors.” Some produce a static code—for example, the card that opens my apartment building door. That kind of signal can easily be copied to a device like my “Flipper Zero” so I can use that to open the door. But sophisticated contactless payment cards (like your Visa or Mastercard debit and credit cards) use dynamic codes. Each time you use the NFC, your card’s chip generates a unique, one-time code (often called a cryptogram or token) that cannot be reused and is different every time.

So, that’s what makes the NGate malware more sophisticated. It doesn’t simply grab a signal from your card. The phone must be infected, and the victim must be tricked into performing a tap-to-pay or card-verification action and entering their PIN. When that happens, the app captures all the necessary NFC transaction data exchanged — not just the card number, but the fresh one-time codes and other details generated in that moment.

The malware then instantly sends all that NFC data, including the PIN, to the attacker’s device. Because the codes are freshly generated and valid only for a short time, the attacker uses them immediately to imitate your card at an ATM; the accomplice at the ATM presents the captured data using a card-emulating device such as a phone, smartwatch, or custom hardware.

But, as you can imagine, being ready at an ATM when the data comes in takes planning—and social engineering.

First, attackers need to plant the malware on the victim’s device. Typically, they send phishing emails or SMS messages to potential victims. These often claim there is a security or technical issue with their bank account, trying to induce worry or urgency. Sometimes, they follow up with a phone call, pretending to be from the bank. These messages or calls direct victims to download a fake “banking” app from a non-official source, such as a direct link instead of Google Play.

Once installed, the app app asks for permissions and leads victims through fake “card verification” steps. The goal is to get victims to act quickly and trustingly—while an accomplice waits at an ATM to cash out.

How to stay safe

NGate only works if your phone is infected and you’re tricked into initiating a tap-to-pay action on the fake banking app and entering your PIN. So the best way to stay safe from this malware is keep your phone protected and stay vigilant to social engineering:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
• Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
• Ignore suspicious texts. Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.

Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

It’s getting harder to keep your Windows space truly yours, as Microsoft increasingly serves annoying ads and tracks your data across third-party apps.

Pushing back against your eroding privacy has been a scattered and sometimes complicated process… but we’re making it easier for you. With the latest version of Malwarebytes for Windows, we’ve introduced Privacy Controls—a simple screen that brings several privacy settings together in one place, so you can easily decide how Microsoft handles your data.

With four simple toggles, you can decide whether to:

• Allow third-party apps to use your Advertising ID
• Allow third-party content on your lock screen
• Allow third-party content on your Start screen
• Allow Microsoft to use Windows diagnostic data

You can also disable all privacy-impacting features at once.

There’s more good news for your privacy. Malwarebytes now also alerts you when “Remote Desktop Programs” are installed on your device.

Remote Desktop Programs are powerful, often legitimate tools used by IT teams and tech support to fix problems remotely—especially since remote work became common. But the remote access these programs provide is powerful, which makes them a target for cybercriminals. If a real tech support account is compromised, a hacker could use the remote desktop program to tamper with your devices or spy on sensitive information.

There’s also a type of scam—called a tech support scam—where criminals trick people into installing remote desktop programs so they can take control of the victim’s device, potentially stealing data or money down the line.  

By flagging these programs, Malwarebytes gives you more visibility into what’s on your computer, so you can stay in control of your privacy and security.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Digital intruders have been targeting UK drinking water systems in what seems to be a growing risk.

Recorded Future News sent a request to the UK’s Drinking Water Inspectorate (DWI), the organization responsible for ensuring that drinking water is safe, for details on cyberattacks affecting the country’s water system. Using freedom of information laws, the site discovered five incidents that had taken place since January 1, 2024.

A steady stream of water attacks

These aren’t the first attacks on UK water systems. In August 2022, the Clop ransomware gang hit South Staffordshire Water, thinking that it was actually Thames Water. The attack focused on stealing customer data, meaning water supplies weren’t disrupted, although corporate systems were affected.

In late 2023, pro-Iranian hackers disrupted water supplies in County Mayo, Ireland. The intruders, known as the Cyber Av2ngers group, caused outages across 160 homes for two days. The attack was politically motivated by the utility’s apparent use of an Israeli-made tool.

These are far from the only attacks on water systems around the world. In February last year, CISA warned that a Chinese state-sponsored group had spent nine months moving laterally through a US water facility.

In that incident, attackers gained access using an administrator’s login and spent months inside the infrastructure, nosing around databases and other assets. CISA linked the intrusion to Volt Typhoon—a group that also targeted telecommunications companies around the world. The attackers were described as “OT adjacent,” meaning they had reached administrative systems close enough to potentially impact the operational technology that controls water flow.

The attacks keep coming. Just last month, the Canadian Centre for Cybersecurity reported an attack on a municipal water facility. Hacktivists managed to alter water pressure, causing “degraded service” for the local community.

It’s always worrying when attackers target critical national infrastructure. When attackers hit Colonial Pipeline in 2021, they only compromised its administrative network (the part that handles paperwork). But the company was spooked enough that it shut down its fuel distribution systems too, as a protective measure, causing gasoline prices to spike across the US East Coast.

A possible legal shake-up

Many attacks on water systems might go unreported, depending on where they happen. The UK’s Network and Information Systems (NIS) regulations dictate that critical national infrastructure organizations should reveal cyber attacks to the public. However, that only applies if those attacks caused disruption.

That’s why the attacks uncovered by Recorded Future haven’t been made public until now. While worrying, they didn’t affect the UK’s water supply. A 2022 review of the NIS regulations criticized this limited disclosure, noting that attacks with the potential to disrupt services often went unreported.

Although the attacks reported to Recorded Future were voluntarily disclosed by the DWI by suppliers, upcoming legal changes could lower the bar for mandatory reporting. The UK’s proposed Cyber Security and Resilience Bill would expand disclosure requirements, increasing transparency about attacks that could affect the water supply. The Bill is expected to reach Parliament in 2025—though time is running short.

A resource under pressure

Water is under considerable threat already in the UK, with major droughts declared this year. The Met Office reports that this year’s February-to-April period was the driest since 1956, with rainfall at just half the long-term average. River flows have dropped sharply, soil moisture is down, and the National Drought Group has met to coordinate a national response.

Water companies already have plans to manage shortages, the UK government says. But as the cyberattacks mount, the question is: are their system defenses strong enough too?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Google has rolled out a new autofill feature for Chrome that goes beyond storing just your passwords, addresses, and credit card numbers. The new “enhanced autofill” can now stash your driver’s license, passport details, VIN, or license plate information. Sounds convenient, right?

But just because you can, it doesn’t mean you should.

Let’s face it: filling out government forms or travel bookings online is a pain. Anything that saves a few minutes—or spares you from hunting down your passport at the back of a drawer—feels like a win, especially if Chrome can neatly autofill those fields. And yes, Google promises encryption, explicit permission for autofill, and manual activation only if you want it.

But let’s think this through. Is storing your most personally identifiable information—like government-issued IDs—in the market-dominant browser a good idea? Because that’s what Chrome is.

Chrome’s market share (over 73% at the time of writing) makes it the internet’s biggest bullseye for criminals. Whether you’re using the enhanced autofill or the regular one, browser-based storage schemes are relentlessly hunted by password stealers, infostealers, and other types of malware.

And let’s not forget phishing attempts. Maybe having to dig through your drawer while you think about why a website needs that information isn’t such a bad thing after all.

Sure, Chrome encrypts autofill data, only saves your info with permission, and asks for confirmation before pasting it into a form. You can also ramp up security with two-factor authentication (2FA) and a Chrome sync passphrase. But when cybercriminals get the right kind of access (by stealing a browser session, finding an unlocked device, or getting you to install a rogue extension), your sensitive information is in danger. And with what Chrome can now store, that could mean your identity.

Chrome’s enhanced autofill promises a smoother online ride, but the consequences of storing government IDs in your browser could outweigh the perks. Cybercriminals love a big target—and with Chrome’s popularity, the bounty only grows. When the reward for a criminal is your passport, driver’s license, or identity, convenience should come second to caution.

Thankfully, someone decided it was a good idea to turn off this feature by default, but if you want to check, here’s how to find it:

• Open Chrome.
• In the main Chrome menu, click on Settings.
• Under Autofill and passwords, select Enhanced autofill if present.

Better alternative: password managers

We would advise that if you must store this kind of information digitally, use a password manager. These tools are built for secure storage—they’re audited for security, separate from browser processes, and don’t automatically serve up your data to any site that happens to have the right input fields.

Stick to a dedicated password manager and stay in control of what’s stored and where it gets filled out. Remember: the less a browser knows about your life, the safer you are when someone eventually tries to break in.

Other recommendations:

• Make sure your browser is up to date.
• Use a real-time up-to-date anti-malware solution with web protection.
• Use two-factor authentication or passkeys to enhance the security of your important accounts.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Apple has released security updates for iPhones, iPads, Macs, Apple Watches, Apple TVs, Safari, and Xcode, fixing nearly 50 security flaws. Some of these bugs could let cybercriminals see your private data, take control of parts of your device, or break key security protections.

Installing these updates as soon as possible keeps your personal information—and everything else on your Apple devices—safe from attack.

What caught our eye

Although Apple never releases full details before everyone has had a chance to apply the updates, two serious security flaws stand out:

• CVE-2025-43442: This vulnerability is a permission issue which is fixed in iOS 26.1 and iPadOS 26.1. It could allow an app to identify which other apps a user has installed. You can imagine that if a banking Trojan—like this one on Android—can see which banking apps and crypto wallets someone uses they can maximize their social engineering strategies to target that user.
• CVE‑2025‑43455: This is a privacy issue in watchOS 26.1, visionOS 26.1, iOS 26.1, and iPadOS 26.1. It allows malicious apps to capture screenshots of sensitive information in embedded views. Apple addressed this by tightening privacy checks and isolation policies.

Updates for your particular device

This table shows which updates are available and points you to the relevant security content fot that operating system (OS).

How to update your devices

How to update your iPhone or iPad

For iOS and iPadOS users, here’s how to check if you’re using the latest software version:

• Go to Settings > General > Software Update.
• Turn on Automatic Updates if you haven’t already—you’ll find it on the same screen.

How to update macOS on any version

To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:

• Click the Apple menu in the upper-left corner of your screen.
• Choose System Settings (or System Preferences on older versions).
• Select General in the sidebar, then click Software Update on the right. On older macOS, just look for Software Update directly.
• Your Mac will check for updates automatically. If updates are available, click Update Now (or Upgrade Now for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these instructions.
• Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).
• Make sure your Mac stays plugged in and connected to the internet until the update is done.

How to update Apple Watch

Ensure your iPhone is paired with your Apple Watch and connected to Wi-Fi, then:

• Keep your Apple Watch on its charger and close to your iPhone.
• Open the Watch app on your iPhone.
• Tap General > Software Update.
• If an update appears, tap Download and Install.
• Enter your iPhone passcode or Apple ID password if prompted.

Your Apple Watch will automatically restart during the update process. Make sure it remains near your iPhone and on charge until the update completes.

How to update Apple TV

Turn on your Apple TV and make sure it’s connected to the internet, then:

• Open the Settings app on Apple TV.
• Navigate to System > Software Updates.
• Select Update Software.
• If an update appears, select Download and Install.

The Apple TV will download the update and restart as needed. Keep your device connected to power and Wi-Fi until the process finishes.

How to update your Safari browser

Safari updates are included with macOS updates, so installing the latest version of macOS will also update Safari. To check manually:

• Open the Apple menu > System Settings > General > Software Update.
• If you see a Safari update listed separately, click Update Now to install it.
• Restart your Mac when prompted.

If you’re on an older macOS version that’s still supported (like Sonoma or Sequoia), Apple may offer Safari updates independently through Software Update.

How to update Xcode

Xcode is Apple’s developer tool for building apps, so most people won’t have this, but if you do, you’ll need to keep it updated. Xcode updates come through the App Store:

• Open the App Store on your Mac.
• Click Updates in the sidebar.
• If an Xcode update is available, click Update next to it.
• You can also search for “Xcode” directly and click Update or Get if you’ve uninstalled it.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.