Most people think their phone is private. You have a passcode, maybe Face ID, and your messages are encrypted. That should be enough, right?
The truth is, there is an entire industry built around breaking into phones silently. Government agencies around the world use tools that can read your private messages, log every keystroke, track your location, and even activate your camera and microphone, all without you ever knowing something is wrong.
These tools are not science fiction. They are real, they are commercially sold, and some of them have been used against journalists, activists, and ordinary citizens.
In this article, I will break down what government spyware is, how it gets onto your phone, who is behind it, and what you can actually do to protect yourself.
What is government spyware?
Government spyware refers to advanced surveillance tools sold by private companies to law enforcement and intelligence agencies. Unlike regular malware that tries to steal banking info or lock your files, these tools are designed to be completely invisible. You will not see a new app icon, a notification, or any slowdown on your phone.
Once installed, these tools can:
- Read your private messages on WhatsApp, Signal, Telegram, and SMS
- Log every keystroke you type, including passwords
- Access photos, files, and app data
- Track your GPS location in real time
- Remotely activate your camera and microphone
- Intercept calls and texts
The most unsettling part is that the victim has no way to know they are being watched. The spyware runs silently in the background, hidden from the operating system's normal process lists.
The main players: Pegasus and Graphite
Two Israeli companies dominate this space: NSO Group and Paragon Solutions.
Pegasus (NSO Group)
Pegasus is the most well-known government spyware in the world, and not for good reasons. It has been used by authoritarian governments to target journalists, activists, and political dissidents. It was even linked to the surveillance of people close to Jamal Khashoggi, the journalist who was murdered by Saudi Arabia in 2018.
Pegasus is capable of what security researchers call a "zero-click" attack, which means the victim does not have to click anything or open any file. The spyware installs itself automatically by exploiting vulnerabilities in the phone's operating system or messaging apps.
Graphite (Paragon Solutions)
Paragon Solutions was founded in 2018 by former Israeli Prime Minister Ehud Barak and a former commander of Unit 8200, Israel's cyberwarfare division. Their product, Graphite, works similarly to Pegasus.
Paragon has tried to position itself as the "ethical" alternative. They claim they only sell to democratic governments that respect human rights. But in January 2025, WhatsApp confirmed that Graphite was used to target 90 accounts, including Italian journalists who were critical of their government and members of civil society organizations that rescue refugees at sea.
Italy is a democracy. It abides by international norms. And yet, the evidence suggests their government used this "ethical" spyware against journalists and activists.
The lesson is simple: you cannot abuse-proof government-deployed spyware. No matter what promises a vendor makes, once the tool is in the hands of a government, there is no technical safeguard that prevents misuse.
How spyware gets on your phone
Understanding the attack vectors is the first step to defending yourself.
Zero-click exploits
This is the most dangerous type of attack. The victim does not have to do anything. No link to click, no file to open, no app to install.
Here is how the Graphite WhatsApp attack worked: the target was added to a group chat. A PDF was automatically sent to the group. The phone's operating system automatically parsed the PDF in the background, even though the user never opened it. The parsing process triggered a vulnerability that loaded Graphite onto the device.
Pegasus has used similar exploits through iMessage. A specially crafted message would trigger a vulnerability in Apple's image rendering library, installing the spyware before the user even saw the message.
These exploits target weaknesses in how phones handle incoming data automatically. You cannot prevent them by being careful about what you click, because there is nothing to click.
One-click attacks
These require the victim to interact with something: tap a link, open a file, install an app. Phishing links and malicious attachments are the most common vectors. They are easier to pull off but also easier to avoid if you are cautious.
IMSI catchers (Stingrays)
Before software-based spyware became dominant, police used physical devices called IMSI catchers, commonly known by the brand name Stingray. These devices pretend to be cell phone towers, forcing nearby phones to connect to them. Once connected, the device can intercept calls, texts, and location data.
The Ontario Provincial Police bought a Stingray in 2014 for $2 million but stopped using it by 2017. They have since moved to software-based tools.
How much does this cost?
These tools are not cheap. A single Graphite license costs approximately $500,000. This high price tag means they are not deployed randomly. They are used in targeted investigations against specific individuals.
However, the cost also means that only well-funded agencies can afford them. For now, that limits the threat to government-level actors rather than random criminals or stalkers.
Can you detect government spyware?
These tools are designed to be nearly impossible to detect through normal means. You will not see a suspicious app in your app drawer or a process eating your battery. But they do leave traces that forensic tools can find.
Mobile Verification Toolkit (MVT)
Amnesty International developed an open-source tool called MVT that can scan your phone for indicators of spyware. It looks for forensic artifacts, suspicious processes, known indicators of compromise, and unusual network connections.
MVT is not a real-time protection tool. It is a forensic scanner, meaning you run it periodically to check if your device has been compromised. It works on both iOS and Android.
Citizen Lab
The Citizen Lab at the University of Toronto is one of the most important research groups in this space. They publish research on spyware infrastructure, indicators of compromise, and vendor attribution. In 2024, they identified Paragon's server infrastructure and mapped Graphite deployments across multiple countries, including Canada.
How to protect yourself
You cannot make yourself 100% immune to government-grade spyware. If a well-funded agency with a $500K tool specifically targets you, they will likely find a way in. But you can significantly reduce your risk and make their job much harder.
1. Keep your OS updated
This is the single most important thing you can do. Nearly every zero-click exploit targets a known vulnerability that the manufacturer has already patched. The victims simply had not installed the update yet. When Apple or Google releases a security patch, install it the same day.
2. Use a hardened operating system
If you have a Google Pixel, consider installing GrapheneOS. It is a custom Android ROM that strips out Google Play Services and significantly reduces the attack surface. For iPhones, enable Lockdown Mode, which blocks most iMessage attachment types, disables link previews, and limits web rendering features.
3. Disable auto-download in messaging apps
The Graphite WhatsApp attack relied on the phone automatically downloading and parsing a PDF. Go into WhatsApp, Signal, and Telegram settings and disable auto-download of media and documents. This closes one of the most common zero-click vectors.
4. Reboot your phone daily
Much of the spyware in use today runs only in memory. It does not persist across a reboot. A daily restart clears the device's memory and forces the spyware to reinfect, which requires another expensive exploit. This simple habit raises the cost of surveillance significantly.
5. Use Signal over WhatsApp and iMessage
Signal has a smaller codebase than WhatsApp or iMessage, which means fewer potential vulnerabilities. It also has better metadata protections. While no app is immune to zero-clicks, Signal reduces your attack surface.
6. Run MVT periodically
Install MVT and scan your device once a month. It is not perfect, but it can catch known indicators of compromise that you would never spot manually.
7. Never accept unexpected group chat invites
The WhatsApp zero-click required adding the victim to a group chat. If you configure your messaging apps to require approval before joining groups, you close this vector.
8. Monitor your network traffic
On Android, use NetGuard to control which apps can access the internet. At home, run a DNS filter like Pi-hole or NextDNS to block known malicious domains. Spyware has to communicate with a command and control server, and unusual outbound traffic is one of the few detectable signs.
The bigger picture
There is a deeper problem here that goes beyond individual protection. Governments around the world are investing in the insecurity of our devices rather than contributing to fixing vulnerabilities. When a government pays $500,000 for a tool that exploits a specific bug, they have a financial incentive to keep that bug unpatched.
This means the same vulnerabilities that let police catch criminals can also be exploited by hostile nations, criminals, and stalkers. Every unpatched vulnerability is a door left open for everyone, not just the intended user.
Frequently asked questions
Can regular people be targeted by government spyware?
It is rare but not impossible. In Canada, police have used these tools in about 40 investigations between 2017 and 2022, all targeting serious criminal cases. However, in other countries like Italy, journalists and activists with no criminal background have been targeted. The risk depends on where you live and what you do.
Will a VPN protect me from spyware?
No. A VPN encrypts your internet traffic and hides your IP address, but it cannot prevent spyware that is already installed on your device. A VPN is useful for privacy on public networks, but it is not a defense against phone spyware. Learn more about what VPNs actually do in my guide on whether personal VPNs really protect your privacy.
Is my phone safe if I have nothing to hide?
This is the most common argument, and it misses the point. Surveillance tools are not always used against criminals. History shows they have been used against journalists, activists, lawyers, and ordinary citizens. Privacy is not about hiding wrongdoing. It is about maintaining control over your own life and data.
What is the difference between Pegasus and regular malware?
Regular malware is usually designed for financial gain: stealing banking credentials, encrypting files for ransom, or showing ads. Government spyware like Pegasus is designed for total surveillance: reading messages, activating cameras, and tracking location. It is far more sophisticated, far more expensive, and far harder to detect.
Can I check if my phone has spyware for free?
Yes. Amnesty International's MVT is open-source and free. You can install it on a computer and scan your phone. It requires some technical comfort, but it is the most reliable free tool available for detecting government-grade spyware. You can also use critical privacy checks and free security tools as a starting point for a broader security audit.