How Mercenary Spyware are Exploiting Android and iOS

For years, Apple and Google have fortified their operating systems with layers of security, from impenetrable sandboxes to bug bounty programs. Yet, despite these defenses, a shadow industry of 'mercenary spyware' continues to find a way in. These tools are designed to secretly monitor, collect, and transmit information from a device without the user’s knowledge or consent. This article explores how spyware works and how the battle between spyware vendors and platform defenders is redefining digital privacy.

Why State Actors Use Spyware

Spyware like Pegasus and Predator are developed by commercial surveillance companies and sold to governments and intelligence agencies. One major reason cited is national security and counterterrorism. State agencies can use spyware to detect potential threats or criminal activities and monitor communication networks used by suspected terrorist or criminal groups. However, spyware has also been used for information control and censorship. Governments can use them to monitor journalists, activists, dissidents, or political opponents. These surveillance toolkits are often marketed to states at premium prices, with full deployments often costing millions of U.S. dollars. They are designed to silently extract every piece of data from a target's device. For years, Pegasus and Predator have been linked to high-profile targeting of journalists, human rights activists, government officials, and corporate executives across the globe.

Infection Vectors

Zero-click exploits

The most terrifying capability of these spyware is the ability to infect a device with little to no interaction from the victim. Zero-click exploits are the "holy grail" for spyware operators. They allow an infection to occur without the target performing any action, such as clicking a link or opening a file. These sophisticated threats often exploit vulnerabilities in messaging or communication apps to gain remote access. Messaging applications process incoming content before the user even opens it. If that processing code contains an unpatched vulnerability, a specially crafted message can exploit it and execute malicious code on the device. Pegasus has famously used zero-click exploits against iOS devices via the iMessage platform. By sending a specially crafted piece of data to the phone number, the exploit triggers a vulnerability in the message parsing engine, executing code remotely without the user ever knowing an attack occurred.

One-Click and Network Injection

Predator frequently uses a hybrid approach. A common method involves sending a malicious link via WhatsApp or SMS. If the target clicks it, the link leads to a site that drops the spyware. However, in more advanced scenarios, vendors collaborate with Internet Service Providers (ISPs) to inject the malicious code directly into the user's web traffic. This technique, known as network injection, can redirect the target to an exploit server even if they are just browsing a legitimate website.

Exploiting the Browser and Kernel

Once an attack vector is triggered, the spyware must break through the operating system's defenses. Both Pegasus and Predator often use exploit chains that target the mobile browser first. For example, Predator attacks have exploited vulnerabilities in Google Chrome's V8 engine or Apple's WebKit (Safari's engine) to achieve initial code execution. In one campaign targeting Samsung phones, Predator used a chain of exploits to escape the Chrome browser sandbox. Once out, it used a privilege escalation exploit to gain root access to the device, allowing the spyware to inject its malicious code into privileged system processes. Similarly, attacks on iPhones have chained together vulnerabilities to bypass iOS's strict sandboxing. An example is the targeting of a former Egyptian member of parliament, where the spyware used three zero-days to bypass certificate validation, elevate privileges, and achieve remote code execution.

Stealth and Persistence

Once inside, these spyware families go to great lengths to hide. Predator's Android payload, often delivered by a loader called Alien, is injected into the Zygote process, which is the parent process from which all Android apps are forked. Once the malware is installed, it sets up a dedicated storage location for exfiltrated data and makes modifications to evade detection.

The Data Harvesting Capabilities

The ultimate objective of these infections is comprehensive surveillance. Once deployed, the spyware can extract a vast range of sensitive information from the compromised device. The spyware can record phone calls, capture VoIP conversations from apps like WhatsApp and Signal, and access SMS messages and emails in real time. Another capability is environmental hijacking. This allows operators to remotely activate the device’s microphone for listening or turn on the camera to capture photos and record video without the user’s knowledge. The spyware also enables continuous location tracking through persistent GPS monitoring, giving operators real-time insight into a target’s movements.

Defending Against State-Sponsored Spyware

For the average user, the risk of being targeted by Pegasus or Predator is very low, as these tools cost millions of dollars to deploy. However, for journalists, activists, business executives, and government officials, the threat is real. While it may not always be possible to completely stop advanced spyware infections, you can significantly reduce the chances of a successful attack by making exploitation more difficult. Here's how. Reboot your device daily Research from groups like Amnesty International and Citizen Lab shows that some Pegasus infection chains rely on zero-click exploits that lack persistence. Regularly restarting your device can disrupt the spyware, forcing attackers to re-infect it repeatedly. Over time, repeated attempts increase the likelihood of detection through crashes or forensic traces. Disable iMessage and FaceTime if you are high-risk Because iMessage is enabled by default and deeply integrated into iOS, it has been a target for zero-click exploit chains. Security researchers have noted strong demand in exploit markets for iMessage vulnerabilities. If you are in a high-risk category (such as a journalist or activist), disabling iMessage and FaceTime can remove a major attack surface, though it may be inconvenient. Keep iOS updated Install security updates as soon as they are released. While some attackers use expensive zero-day exploits, many campaigns rely on already-patched vulnerabilities. Running the latest version of iOS helps close known security gaps. Avoid clicking suspicious links Not all spyware operators can afford zero-click exploits. Many rely on one-click attacks delivered via SMS, email, or messaging apps. Avoid opening unknown links on your phone. Use Lockdown Mode For high-risk iOS users, Apple's Lockdown Mode provides an extreme security setting that severely limits device functionality to block attack vectors like iMessage link previews. Sideloading Awareness Avoid installing apps from outside official stores, and scrutinize app permissions.

Conclusion

The cat-and-mouse game between spyware vendors and tech giants like Apple and Google continues to escalate. As spyware becomes more commoditized, the barriers to conducting such surveillance are lowering. Understanding how these spyware operates is the first step to protecting ourselves in the face of sophisticated threats.