A single missed call. A malicious image. A hidden flaw buried deep in your phone’s software. That can be enough for attackers to install spyware and read your messages, track your location, record you through the phone’s camera and mic, and siphon sensitive data — without you tapping a single link.

In recent years, zero-day vulnerabilities targeting smartphones have become some of the most powerful tools in the cybercriminal and cyber-espionage arsenal. These attacks are especially dangerous because they exploit software flaws that vendors don’t even know about — meaning no patch is available when the attacks begin.

And while spyware campaigns often target high-profile individuals like activists, journalists, politicians, and executives, ordinary consumers are increasingly at risk too. Criminal groups are adapting advanced techniques once reserved for state-sponsored operations, turning smartphones into lucrative targets for fraud, identity theft, and surveillance.

Key takeaways

• Zero-day vulnerabilities are software flaws attackers exploit before developers can create a fix
• Spyware can infect phones through messages, calls, images, apps, or websites — sometimes with zero user interaction
• Pegasus, Predator, and Triangulation are among the best-known spyware campaigns targeting smartphones
• Both iPhones and Android devices have been affected by sophisticated zero-day attacks
• Advice for consumers: how to reduce the risk of a spyware infection

What is a zero-day vulnerability?

A zero-day vulnerability is a software flaw unknown to the vendor or developer at the time attackers begin exploiting it. Since there are “zero days” to prepare a defense, users are at risk until a patch becomes available.

When attackers combine multiple zero-days into an “exploit chain,” they can bypass phone security protections and silently install spyware.

Modern spyware is capable of:

• Reading encrypted chats
• Accessing photos and emails
• Recording calls
• Activating microphones and cameras
• Tracking real-time location
• Stealing passwords and authentication tokens

Some infections leave almost no visible signs behind.

How zero-day spyware attacks work

Traditional hacker attacks usually require victims to click a malicious link or install a rogue app. Zero-day exploits can be far stealthier.

In zero-click attacks, for instance, victims don’t even need to interact with anything at all. Attackers may exploit flaws in messaging apps, image rendering systems, or call functions simply by sending specially crafted data to the device.

Something as simple as a malicious text message can trigger code execution automatically in the background.

Exploit chains

Sophisticated spyware campaigns rarely rely on a single software flaw. Attackers often chain together multiple vulnerabilities to:

1.     Gain initial access

2.     Escape app sandboxes

3.     Escalate privileges

4.     Achieve full device control

5.     Maintain persistence on the target device

This allows spyware to survive reboots and operate invisibly.

Notable real-world spyware incidents

Pegasus spyware and iPhone zero-days

Perhaps the most infamous spyware platform is Pegasus, developed by Israeli firm NSO Group. Over the years, researchers uncovered multiple Pegasus campaigns exploiting zero-day flaws in iPhones.

One major campaign used a zero-click exploit delivered through Apple’s iMessage service. Victims reportedly became infected without opening messages or clicking links.

Security researchers found Pegasus infections on devices belonging to journalists, activists, diplomats, and business leaders in multiple countries.

Apple later released emergency security updates addressing the exploited vulnerabilities and introduced Lockdown Mode to help protect high-risk users from advanced spyware.

Operation Triangulation

In 2023, researchers uncovered “Operation Triangulation,” an advanced iPhone espionage campaign that leveraged multiple iOS zero-days.

Victims reportedly received malicious iMessages with invisible attachments that triggered infection automatically. The malware gained deep system access and exfiltrated sensitive information.

The campaign highlighted how even tightly controlled mobile ecosystems can still be vulnerable to sophisticated exploit chains.

Predator spyware on Android and iPhone

Predator spyware, linked to the Intellexa alliance, targeted both Android and iPhone users using malicious links and advanced exploits.

Researchers observed campaigns impersonating news organizations and legitimate websites to trick users into visiting malicious pages that deployed spyware.

Once installed, Predator could access messages, microphones, cameras, and encrypted communications.

Android zero-days exploited in the wild

Android devices have also faced repeated zero-day exploitation. In some cases, attackers abused vulnerabilities in GPU drivers, browsers, or the Android kernel to gain elevated privileges.

Google’s Threat Analysis Group has warned that commercial spyware vendors continue developing sophisticated Android exploit chains capable of bypassing modern protections.

Why smartphones are prime targets for hackers

Smartphones have become digital vaults containing:

• Banking apps
• Password managers
• Authentication codes
• Private conversations
• Health information
• Work communications
• Personal photos and documents

Unlike laptops, phones are almost always powered on, connected, and carried everywhere — making them extremely valuable surveillance targets.

Many users also delay installing updates, giving attackers a larger window of opportunity.

Warning signs of spyware infection

Advanced spyware is difficult to detect, but warning signs may include:

• Rapid battery drain
• Overheating without explanation
• Increased data usage
• Random crashes or reboots
• Microphone or camera activating unexpectedly
• Strange messages or calls
• Apps requesting unusual permissions

Still, many sophisticated infections leave no obvious indicators.

How consumers can reduce the risk

While no defense is perfect against advanced zero-days, you can significantly lower your exposure.

Install updates immediately

Software updates often contain critical security patches that close actively exploited vulnerabilities.

Enable automatic updates for:

• Operating systems
• Messaging apps
• Browsers
• Security software

Delaying updates gives attackers more time to exploit known flaws.

Use a trusted mobile security solution

A reputable mobile security solution can help detect malicious apps, phishing attempts, suspicious behavior, and known spyware indicators.

Try Bitdefender Mobile Security for iOS

Try Bitdefender Mobile Security for Android

Security tools may also block malicious websites used in spyware delivery campaigns.

Be cautious with links and attachments

Even sophisticated attacks sometimes begin with phishing.

Avoid:

• Unexpected links
• Unknown attachments
• Messages urging urgent action
• Apps from unofficial stores

Limit app permissions

Review which apps can access:

• Camera
• Microphone
• Location
• Contacts
• Photos

Revoke permissions that don’t make sense for an app’s functionality.

Enable enhanced protection modes

Apple’s Lockdown Mode and similar hardened security features can reduce attack surfaces for users who may face elevated risk.

These protections may restrict some functionality but can help block advanced exploit techniques.

Restart devices regularly

Some spyware strains rely on remaining active in memory. While not a complete solution, rebooting phones periodically may disrupt certain infections.

Separate work and personal activity

Using separate devices or profiles for sensitive work can reduce exposure if one device becomes compromised.

Commercial spyware vendors continue developing increasingly advanced tools that can target mainstream devices at scale. At the same time, cybercriminals are borrowing techniques once associated mainly with intelligence agencies. Our phones have become integral to our daily lives. Protecting them is no longer optional.

You may also want to read:

What Is Lockdown Mode on iPhone and Mac? How Apple’s Spyware Shield Works – and When to Use It

Fake WhatsApp Clone Used in Spyware Campaign, Meta Warns

Hacker Accused of Stealing Women’s Private Snapchat Photos Pleads Guilty