
Gatekeeper for Mobile Spyware Infection and Control
Mobile spyware has become one of the sharpest weapons in modern cyber‑warfare, silently commandeering smartphones and siphoning off private conversations, photos, and real‑time locations. Yet even the most sophisticated espionage kits share a single, critical dependency: some form of network connectivity is required to reach and later to control the target device.
While the first malicious packet can arrive through many different routes, every successful campaign needs a data path for one or more of these stages:
Delivery – getting the malicious code or exploit onto the handset.
Command & Control (C2) – receiving instructions from the operator once the device is infected.
Exfiltration – sending harvested data back to the attacker.
Remove, restrict, or strictly isolate that connectivity and you starve the spyware of oxygen.
Main Infection Vectors
Threat actors typically rely on three broad techniques. Each has a different entry point, but all ultimately lean on an online channel to succeed at scale.
Vector | How the Initial Compromise Happens | Where Connectivity is Needed |
Social‑Engineering Attacks | The user is tricked into tapping a malicious link, installing a trojanised app, or granting intrusive permissions. Classic phishing, spear‑phishing, OAuth‑consent prompts, and look‑alike mobile apps fall in this bucket. | Immediately. The lure is delivered over email, SMS or messaging apps and the payload is fetched from attacker‑controlled servers. |
Remote (“Zero‑Click”) Exploits | A zero‑day in a messaging, browser or image‑parsing component is abused – often without any user interaction. Examples include NSO Group’s BLASTPASS or Candiru’s Sherlock chains. | Immediately and continuously. The exploit chain rides on network traffic and once implanted the spyware keeps talking to its C2 over the internet. |
Proximity & Local‑Network Attacks | The attacker sets up a rogue Wi‑Fi access point, fake cellular base‑station (BTS) or short‑range radio implant. The victim’s phone connects because the signal appears stronger or more legitimate than the real network. | Soon after compromise. The initial exploitation can occur with only local radio signals but the implant still needs upstream access via the same rogue AP, a cellular backhaul or later when the phone reconnects to the wider internet to receive commands and leak data. |
Important nuance: Purely physical techniques such as Evil‑ Maid attacks (where an adversary gains direct hands‑on access to the handset) do exist but they are expensive, noisy and do not scale. The overwhelming majority of observed spyware cases still begin with, or quickly pivot to, an internet‑based channel.
Case Study: WhatsApp vs. NSO Group
Court filings in WhatsApp Inc. v. NSO Group Technologies Ltd. describe how Pegasus operators pushed a specially crafted VoIP packet to targeted devices, exploiting a vulnerability in WhatsApp’s call handling. The implant was delivered in seconds and then immediately reached back to attacker infrastructure for further modules and tasking. Without that outward connection the compromise would have stalled. [See Exhibit 5 of the complaint.]
Breaking the Chain
Going completely offline is not realistic for modern mobile workforces but organisations can still neutralise the most dangerous spyware campaigns by constraining when and how devices reach the internet.
Isolated Workspaces – Deploy secure‑by‑design containers that route corporate traffic through a hardened VPN while keeping personal apps in a separate restricted zone.
Minimal Attack Surface – Strip the workspace of consumer services most often abused for phishing (public email, social media, ad‑tech SDKs, etc.).
Detachable Connectivity – Give users a hardware or OS‑level option to disable radios when high‑risk activities (e.g., board meetings, travel through hostile borders) are underway.
With these controls in place, social‑engineering lures cannot reach the workspace, zero‑click chains have no remote target surface and even proximity attacks lose their path for post‑exploitation C2.
Further Reading
https://www.occrp.org/en/daily/16216-greek-journalist-targeted-by-predator-spyware
https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/
https://www.washingtonpost.com/world/2023/05/24/pegasus-spyware-ayotzinapa-mexico
https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot