top of page
Search

The Commercialisation of Mobile Intrusion: Private Sales of Smartphone Exploitation Technology

  • Writer: Matthew Parish
    Matthew Parish
  • Sep 4
  • 6 min read
ree

In the digital age, the smartphone has become the most intimate object of daily life. It is simultaneously a telephone, diary, financial instrument, camera, and global positioning device. Whoever can enter a modern smartphone holds an unprecedented key to a person’s private world. For decades, the ability to penetrate such devices was the preserve of a handful of state security agencies with lavish budgets and access to cutting-edge research.


As is typically the case with technology initiated by governments and sought to be kept secret, hat monopoly is now being eroded as the technology ceases to be secret. A wave of private companies, many of them start-ups spun out of Israel, Italy, the United States and the Gulf are commercialising the ability to infiltrate smartphones, extract data, and even turn them into surveillance tools. These companies sell not only to national intelligence services, but also to immigration authorities, police, and occasionally clients whose bona fides are questionable. That typically includes agencies of states without strong rule-of-law traditions or legal frameworks protecting individual privacy.


How the Technology Works


The techniques by which such companies prise open the fortress of a modern smartphone are varied but increasingly refined. One method involves so-called “zero-click” exploits, in which a vulnerability in a phone’s messaging system, browser or operating system is triggered without the user clicking on anything. Malicious code is delivered silently and invisibly, opening the door to full remote control. Another method relies on “one-click” phishing, in which the target is lured into tapping on a seemingly innocuous link, thereby installing spyware. Once inside, the attacker can access the entire contents of the phone: stored files, photographs, location history, microphone and camera, encrypted applications such as WhatsApp or Signal, and even live ambient recordings.


The most notorious example of such software is NSO Group’s Pegasus, an Israeli product that was originally advertised as a counter-terrorism tool. Yet Pegasus is no longer unique; other firms such as Cellebrite, Candiru, Intellexa, and Italy’s Hacking Team (before its own exposure and collapse) have offered comparable services. Whereas Pegasus emphasised covert long-term infiltration, other companies focus upon forensic extraction, seizing a device and quickly cloning its contents.


Case Studies in Government Sales


The clientele for such services is expanding rapidly, and a series of case studies illustrates how far-reaching the phenomenon has become.


  • Mexico and Pegasus: Mexico was one of the earliest and largest customers of NSO’s Pegasus spyware. Officially the licence was purchased to combat the country’s powerful drug cartels. However, in 2017 it emerged that Pegasus had been used against journalists, human rights lawyers and anti-corruption campaigners, sparking outrage. The Mexican case showed that even in a country with democratic institutions, there was little restraint on the temptation to use advanced surveillance against political critics.


  • Saudi Arabia and the Khashoggi Affair: Saudi Arabia also purchased Pegasus, and subsequent investigations revealed that associates of the murdered journalist Jamal Khashoggi were targeted by the spyware both before and after his killing in Istanbul in 2018. This case drew global attention to the human rights implications of allowing authoritarian regimes access to tools that can infiltrate any smartphone on earth.


  • United States and ICE: In 2022–23, reports surfaced that United States Immigration and Customs Enforcement (ICE) had purchased tools from Cellebrite, an Israeli firm specialising in forensic phone extraction. These systems were used not just in counter-terrorism but also in routine immigration enforcement. The ICE example highlights how such technology has migrated from the realm of intelligence elites to become part of the standard toolkit of ordinary government agencies, raising questions about proportionality and oversight.


  • Europe and Hacking Team: Italy’s Hacking Team was once one of the most prominent providers of intrusion technology. Its clients included Morocco, Ethiopia and Kazakhstan, as well as European police agencies. In 2015, however, the company itself was hacked, and its internal emails revealed sales to governments with poor human rights records. The scandal showed how easily commercial companies could spread sensitive capabilities far beyond their intended markets.


  • Intellexa and Greece: More recently the Intellexa consortium, with connections to Greece and other EU states, marketed its Predator spyware to multiple governments. In Greece, revelations that opposition politicians and journalists were targeted led to a domestic political scandal in 2022–23, demonstrating that such systems can be misused even within the European Union.


These cases illustrate a broader trend: commercial spyware has become a global export industry, and the list of customers ranges from the United States to Mexico, from Saudi Arabia to Ethiopia, and from EU member states to authoritarian regimes in Central Asia.


Historical Perspective: From National Monopolies to Market Commodities


Historically, the ability to intercept communications followed a clear hierarchy. Wiretaps were common, but true access to encrypted digital systems was rare. The United States’ National Security Agency, Britain’s GCHQ, and a few other intelligence behemoths invested billions in research to maintain their advantage. Ordinary police forces could not dream of such reach. What has changed is that entrepreneurial companies have converted state research into commercial products, monetising vulnerabilities that once would have been jealously hoarded by governments.


A crucial factor in this shift has been the exploitation of “zero-day” vulnerabilities, flaws in code unknown even to the manufacturer. Whereas such vulnerabilities once flowed into secret state arsenals, today they are traded on an open market. Private firms buy them, weaponise them, and repackage them as turnkey surveillance solutions. The line between national security and commercial espionage has blurred.


Implications of Widespread Availability


The implications of this trend are grave. The democratisation of smartphone intrusion technology raises questions about civil liberties, state overreach and global security. If ICE can buy systems capable of hacking into phones without a warrant, what is to stop other domestic agencies from doing the same? If commercial vendors are willing to sell to any government with cash, what prevents authoritarian regimes from abusing these systems against their political opponents?


Moreover as more countries gain access, the possibility of reciprocal surveillance escalates. Just as the nuclear revolution of the mid-twentieth century forced a balance of terror, the diffusion of digital intrusion tools may create an unstable equilibrium of mutual vulnerability. No politician, diplomat or general can be certain that his or her communications are safe. The smartphone in a pocket becomes a permanent potential spy.


Looking into the near future, the most likely consequence is that the technology will trickle down still further. Today it is national agencies and large police forces. Tomorrow it may be provincial authorities, corporate actors, or even criminal syndicates who purchase or replicate these tools. The market incentive is strong, and the barriers to entry are falling. We may soon inhabit a world in which smartphone privacy is effectively extinct.


Forecast: The Next Phase of Surveillance Technology


If present trends continue, several groups are poised to gain access to smartphone intrusion tools in the near future:


  • Authoritarian Governments in Africa and Asia: States with weak judicial oversight, such as Uganda, Myanmar, or Turkmenistan, are likely to purchase off-the-shelf spyware to monitor political opposition. Commercial vendors, eager for new markets, will continue selling into these regions.


  • Mid-Level Law Enforcement in Democracies: Municipal police forces in Europe or the United States, previously dependent on federal or state intelligence agencies for advanced technology, may soon acquire their own forensic phone hacking tools. This will blur lines between ordinary policing and intelligence operations.


  • Private Corporations: Energy companies, financial institutions, or powerful conglomerates in Latin America, Asia, and Africa may be tempted to deploy spyware against rivals or trade unions. Although illegal in most jurisdictions, weak enforcement and offshore contracting could make this possible.


  • Organised Crime Groups: Black markets for zero-day exploits are already thriving. As commercial spyware becomes more common, criminal syndicates engaged in drug trafficking, human smuggling, or financial fraud will almost certainly acquire these tools, either by purchasing them covertly or by repurposing older versions leaked online.


  • Mercenary Technology Firms: Just as private military companies proliferated in the early twenty-first century, we may see private surveillance firms acting as contractors for governments and corporations, offering “surveillance as a service”. These entities will sell not just the software but also trained operators, further lowering the barriers to entry. Private investigatioin firms (often offshore) will surely obtain access to them, selling them to anyone for the right fee.


The implication of this diffusion is a profound destabilisation of the information environment. Privacy, already fragile, will become almost impossible to guarantee. Diplomats, journalists, activists and business leaders may be forced to operate on the assumption that their devices are permanently compromised. This, in turn, could provoke a new wave of encryption technologies, counter-surveillance tools, and perhaps even legal prohibitions akin to arms control treaties.


Privacy Dissolved


The rise of private companies selling smartphone exploitation systems marks a profound transformation in the architecture of global surveillance. What was once the prerogative of a few powerful governments is becoming a commercial service. The Mexican misuse of Pegasus, Saudi Arabia’s targeting of dissidents, Greece’s domestic scandal with Predator, and ICE’s purchase of Cellebrite systems all demonstrate that this technology is not confined to counter-terrorism but is increasingly applied to everyday policing and political control.


The next phase will see authoritarian regimes, corporations, private individuals and even criminal groups gaining comparable access. Unless international norms or legal restrictions emerge, the smartphone may prove to be the Trojan Horse of the twenty-first century, carrying within it the seeds of a surveillance society more pervasive than anything imagined in earlier eras.

 
 

Note from Matthew Parish, Editor-in-Chief. The Lviv Herald is a unique and independent source of analytical journalism about the war in Ukraine and its aftermath, and all the geopolitical and diplomatic consequences of the war as well as the tremendous advances in military technology the war has yielded. To achieve this independence, we rely exclusively on donations. Please donate if you can, either with the buttons at the top of this page or become a subscriber via www.patreon.com/lvivherald.

Copyright (c) Lviv Herald 2024-25. All rights reserved.  Accredited by the Armed Forces of Ukraine after approval by the State Security Service of Ukraine. To view our policy on the anonymity of authors, please click the "About" page.

bottom of page