The following post details how devices get hacked in 2025, both remotely by the likes of ODITs / Pegasus / Predator / et al, and locally by attackers with physical access.

While there are plenty of types of spyware / malware out there to be concerned about, the biggest threats are known as “zero-click, 0-day” attacks. Let’s break this down:

• zero-click: no interaction required by a user for an attacker to install malware onto a target device
• 0-day: “zero-day” or “oh-day” (due to the typical reaction of internal security teams “oh sh-“), this is a bug unknown to the developers of a piece of software (apps, operating systems, firmware, etc.) exploited to perform some malicious action

These attacks leverage a bug (or a chain of bugs, strung together) found in the code of popular applications and operating systems. Infamously, WhatsApp and iMessage have been high-value targets for bad actors owing to their large international user bases. Digital arms dealers know there is a good chance that someone being targeted will have the given app on their device. The upfront cost of developing / buying exploits to weaponize has a higher return on investment. Once developed, the same “warhead” can be used many times against multiple targets, in some cases for years, while remaining undetected.

Remote Access from Anywhere

Capable of targeting both Android and iPhone devices (also tablets or computers), spyware can:

• activate the cameras and microphones to “see” and “hear” a live feed of the surroundings
• record audio, pictures and video for later exfil
• log keystrokes, anything typed – even if it is deleted or left unsent
• read and transmit messages (including “encrypted” chats, like someone reading the screen over your shoulder)
• intercept or falsify messages
• impersonate legitimate apps with “poisoned” versions
• listen in on calls (again, even from encrypted apps)
• reveal contact lists to build relationship maps
• track location
• generally gather information from any other app on a device (password managers, health and fitness, podcasts, dating)
• bypass protections such as VPNs or antivirus
• send back information about the device, like the serial number, associated SIM cards and phone numbers, IMEIs, nearby WiFi networks and Bluetooth devices, a history of WiFi networks and Bluetooth devices it has connected to, and so on
• hide itself, including a self-destruct feature that removes all traces of infection

Due to the lucrative nature of the global spyware market, many companies have devoted vast resources to building stockpiles of these digital weapons, with sophisticated C2 (command and control) infrastructure distributed around the world. The mechanisms by which they act are obfuscated by tradecraft techniques. Some of the more well-known tools + players in this space are:

Pegasus – Initially released in 2011 by NSO Group. Perhaps the most famous suite of spyware tooling. According to marketing documents, it is meant to aid investigations into terrorist groups and criminals. However, it has been verifiably used by governments to spy on legitimate critical opposition, including jounalists, activists, whistleblowers and politicians.

Predator / Alien – Developed by Cytrox, which was founded in 2017. Part of the Intellexa Consortium. Sanctioned by the US Treasury in 2024.

Graphite – A relative newcomer to the spyware scene, provided by Paragon Solutions. In 2024, US Immigration and Customs Enforcement signed a $2M USD contract with Paragon.

Spyrtacus – From Italian spyware provider SIO. Original samples date back to 2019, the most recent version captured near the end of 2024.

RCS – Remote Control System. Now defunct, developed by HackingTeam / Memento Labs, one of the oldest spyware vendors. Founded 2003, rolled into a new organization in 2019 following a data breach incident and bad press.

Governments have also been known to develop bespoke spyware payloads targeting smaller high-value targets. This is evidenced by the string of encrypted communication providers that have been hacked and subsequently shut down in the past decade, namely Phantom Secure, Anom (an FBI honeypot from the start), Encrochat, SkyECC, Matrix and others.

Physical Forensic Analysis

Now we move on to attackers with physical access and forensic tooling. A typical scenario could look like being forcibly separated from your device at a border / customs checkpoint. The phone, camera, drone, smartwatch, USB drive, tablet, or laptop would be taken into a back room, hooked up to a specialized computer, and harvested for data or compromised with a spyware implant. This can happen in a matter of minutes.

Aimed at a wide variety of electronics, forensic tools can:

• dump files, browser history, databases, pictures, videos, contact lists, call logs, documents, notes, chats, even entire system images en masse
• bypass or brute-force lockscreen passwords and encryption keys, especially 4-6 digit PINs, with relative ease
• install stay-behind spyware to continue information gathering, potentially even resilient to device wipe / factory reset, OTA updates, and “security” solutions like Samsung Knox or MDMs
• extract information from a disassembled device, called “chip-off” attacks
• recover “deleted” messages or files

Graykey – From Magnet Forensics. Includes collaborative tools for teams to easily share data.

UFED – Made by one of the most famous forensic tool vendors, Cellebrite. Stands for Universal Forensic Extraction Device. It has been the go-to solution for over a decade.

OMG Cable – Manufactured and distributed by Hak5, a company known for making penetration testing tools used by investigators and security teams.

How We Protect Against These Attacks

USB Data Access Disabled – When a device is booted into the OS, USB data transfer is completely cut off. The USB port can only be used for charging. There is no way for an attacker to re-enable it, even if they have full unfettered access to the device settings. This makes mass data collection by an attacker with physical access much more difficult (see: expensive).

Minimal Preloaded Apps – Unlike other smartphones, we only include the absolute basic apps necessary for the phone to work. No default browser. No Google. No Meta. No social media whatsoever. We do not force you into a subscription service or specific chat app. Multiple anonymous app stores to choose from that do not require login. The option to install certain apps direct from the source. Take control of your device and only install what you need.

Isolated Workflows with Private Spaces – Keep sensitive apps and files hidden from view. Require a secondary password, different from the primary lockscreen.

Android Verified Boot – Using a variety of techniques, AVB establishes a full chain of trust for the code running on a device. This ensures the operating system and its components have not been tampered with in any way, each stage verifying the integrity of the next during boot up.

References

Pegasus – NSO Group https://www.nsogroup.com

Graphite – Paragon https://paragonsolutions.io

Predator / Alien – Cytrox https://en.wikipedia.org/wiki/Cytrox

Spyrtacus – SIO https://techcrunch.com/2025/02/13/spyware-maker-caught-distributing-malicious-android-apps-for-years/

RCS – HackingTeam / Memento Labs https://en.wikipedia.org/wiki/HackingTeam

Graykey – Magnet Forensics https://www.magnetforensics.com/products/magnet-graykey/

UFED – Cellebrite https://cellebrite.com/en/ufed

OMG Cable – Hak5 https://hak5.org/collections/omg-row2/products/omg-cable?variant=39808316276849

Paragon + DHS / ICE Contract https://cdt.org/wp-content/uploads/2024/11/Civil-Society-Letter_DHS-ICE-contract-with-Paragon-Solutions.pdf

Intellexa Consortium + US Treasury Sanction https://home.treasury.gov/news/press-releases/jy2155

Cellebrite Used to Plant 0-day https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/