The message never arrived. There was no suspicious link, no urgent attachment, no call from an unknown number. The journalist’s iPhone sat on his desk, locked, while he ate lunch — and in the time it took to finish a meal, it was fully compromised. A zero-click exploit had silently entered through iMessage, escalated privileges to root, and activated a persistent implant. By the time Citizen Lab researchers later recovered forensic traces from the device, the attacker had already exfiltrated months of communications, location history, and contact lists. The victim had done nothing wrong. There was nothing to do.
This is the new frontier of mobile threat intelligence: attacks that require zero user interaction, burn vulnerabilities worth millions of dollars on the black market, and are deployed with surgical precision by nation-state actors against journalists, executives, diplomats, lawyers, and government officials. In 2026, mobile devices are not a secondary attack surface — they are the primary one.
What Zero-Click Actually Means
The term “zero-click” gets used loosely, but it has a specific technical meaning that matters for understanding the threat. Traditional phishing relies on a user clicking a link or opening a file — it requires human error at some point in the chain. Zero-click exploits eliminate that dependency entirely. They target vulnerabilities in how a device processes incoming data before any user interaction occurs: parsing an image file in iMessage, rendering a preview in a messaging notification, handling a malformed network packet.
Most zero-click chains target memory corruption vulnerabilities — buffer overflows, use-after-free bugs, and heap spraying techniques that allow an attacker to overwrite arbitrary memory and redirect code execution. FORCEDENTRY, the NSO Group exploit used against Bahraini activists in 2021 and dissected by Google Project Zero, exploited a flaw in Apple’s image parsing library (JBIG2) that allowed attackers to simulate a fully functional CPU inside the parsing engine — effectively running arbitrary code inside what Apple believed was a sandboxed, safe operation.
The reason mobile has become the primary attack surface is structural. Smartphones are always powered on, always connected, and almost never rebooted — making persistence easier to maintain. They carry location data (GPS tracking at meter-level precision), encrypted communications (the very channels executives trust most), biometric credentials, and corporate access tokens. A fully compromised smartphone is worth more to a sophisticated attacker than a compromised laptop: it moves with the target, listens through the microphone, and bypasses the VPN, firewall, and endpoint detection tool that corporate security teams have spent years deploying.
The Exploit Brokers
The commercial market for mobile zero-days has normalized what was once considered exotic state-craft. Zerodium, a Washington-based exploit acquisition firm, publishes a public price list: a full iOS remote code execution and persistence chain — the kind needed for a zero-click deployment — commands up to $2.5 million per acquisition. Android full chains run slightly lower, around $2 million, reflecting iOS’s larger share of high-value government and enterprise targets. Crowdfense, a UAE-based competitor, has offered comparable prices. Both firms acquire vulnerabilities from independent researchers and sell them exclusively to government clients.
Below the acquisition tier sits the commercial spyware industry. NSO Group’s Pegasus, is the most documented example: a full-featured mobile surveillance suite sold to government clients that can extract messages, emails, photos, GPS coordinates, and even activate the microphone and camera remotely. Pegasus operates silently, leaves minimal forensic traces, and was, for years, marketed as a lawful-intercept tool for fighting organized crime and terrorism.
Intellexa’s Predator and Paragon’s Graphite represent a second generation of competitors that emerged as NSO Group faced sanctions, litigation, and reputational damage. These products operate on the same model — licensed to government intelligence and law enforcement agencies — but have expanded the customer base beyond the original handful of Western-aligned states. The market has industrialized. Zero-click mobile exploitation is no longer the exclusive domain of the NSA or GCHQ. It is available to any government with a procurement budget and the political will to deploy it.
Real Cases That Defined the Threat
The empirical record is extensive. Citizen Lab at the University of Toronto has documented Pegasus infections in dozens of countries, consistently finding the tool deployed against people it was never marketed to target: journalists covering corruption, opposition politicians, human rights lawyers, and family members of dissidents.
The FORCEDENTRY exploit, deployed against at least nine Bahraini activists between February and September 2021, required no interaction whatsoever. Devices running fully patched versions of iOS were compromised through iMessage. Apple was notified in September 2021 and patched within days — but the attackers had already had months of uncontested access. Google Project Zero’s subsequent analysis of FORCEDENTRY remains one of the most technically detailed public breakdowns of a nation-state mobile exploit chain.
In 2019, WhatsApp disclosed a zero-day vulnerability (CVE-2019-3568) in its VoIP stack that allowed Pegasus to be installed by calling a target’s phone — even if the call went unanswered. The flaw affected both iOS and Android. NSO Group was subsequently sued by WhatsApp’s parent company Meta, a case that has wound through US courts for years and produced significant legal discovery.
Android has not been immune. Multiple documented campaigns have used chained exploits — combining a browser or messaging app vulnerability with a kernel privilege escalation — to achieve persistent root access on Android devices. Campaigns targeting journalists in the Middle East and Central Asia have exploited vulnerabilities in the Chrome rendering engine combined with Linux kernel bugs to achieve full device compromise.
Advertisement
The Vendor Response
Apple’s answer to the zero-click threat is Lockdown Mode, introduced in iOS 16 and significantly expanded in subsequent releases. Lockdown Mode is an opt-in hardened configuration that disables iMessage link previews, blocks most incoming FaceTime calls from unknown contacts, disables JIT compilation in WebKit, and restricts incoming device management profiles. It is a blunt instrument — some features stop working — but research suggests it meaningfully raises the cost of exploitation. NSO Group exploits that bypassed earlier iOS versions have been shown to fail against devices running Lockdown Mode.
Google’s response has been multifaceted. Project Zero has published an increasingly detailed body of research on mobile exploitation, and the Android Vulnerability Rewards Program now offers up to $1.5 million for a full remote exploit chain. Android’s patch cadence has improved dramatically — monthly security bulletins now cover the base OS, but the fragmentation problem persists. Device manufacturers (Samsung, Xiaomi, Oppo) control when patches reach end users, and that lag can extend from weeks to months for lower-tier devices. Pixel phones receive patches first; the rest of the Android ecosystem follows on timelines that vary widely.
The iOS versus Android security comparison has grown more nuanced. iOS benefits from a tightly controlled hardware-software stack, which makes exploitation harder — but also means that when a zero-day exists in a core Apple library (as with JBIG2 in FORCEDENTRY), it affects every device running that iOS version simultaneously. Android’s fragmentation, long cited as a security liability, also means that a vulnerability in one manufacturer’s implementation may not affect others. Neither architecture is inherently safer; the attack surface is different in shape.
The Corporate Exposure Problem
Enterprise security teams have largely built their threat models around desktop endpoints — laptops with endpoint detection and response (EDR) tools, email gateways with sandboxing, network perimeter monitoring. Mobile devices fall outside these controls in most organizations. A CEO’s iPhone carries their Signal messages, their WhatsApp conversations with board members and investors, their personal email linked to corporate accounts, and their multi-factor authentication tokens. A compromise of that device can yield more intelligence than months of email surveillance.
BYOD (Bring Your Own Device) policies, standard in most mid-to-large organizations, compound the exposure. Personal devices are not enrolled in MDM (Mobile Device Management), are not updated on corporate schedules, and may run older iOS or Android versions. Even enrolled devices resist the kind of deep inspection that EDR tools provide on laptops — mobile operating systems sandbox security software the same way they sandbox everything else, preventing the kernel-level visibility that makes endpoint detection meaningful.
The targeting profile has also expanded. Early commercial spyware campaigns focused on dissidents and journalists. By 2025, documented cases include lawyers working on sensitive litigation, executives at defense contractors, pharmaceutical companies involved in regulatory disputes, and personnel at financial institutions. The threshold for deployment is coming down as the number of licensed operators expands and competition drives down prices.
What Enterprises Can Do
The uncomfortable reality is that no organization can fully defend against a well-funded nation-state actor burning a genuine zero-click zero-day on a fully patched device. The goal is to raise the cost of attack and reduce exposure for the highest-risk individuals.
Enable Lockdown Mode for high-risk individuals. Any executive, legal counsel, board member, journalist, or government-facing employee whose communications could be of intelligence value should run iOS Lockdown Mode or an Android equivalent hardening profile. The usability trade-offs are manageable — most enterprise workflows remain intact.
Deploy Mobile Threat Defense tools. Products like Zimperium and Lookout operate within the sandbox constraints of mobile OSes but can detect behavioral anomalies, suspicious network connections, and known malicious configurations. They are not equivalent to EDR on laptops but provide meaningful signal — particularly for detecting the network callbacks that spyware implants use to exfiltrate data.
Minimize the iMessage attack surface. Organizations that do not require iMessage for business communications should disable it, or at minimum configure it to filter messages from unknown senders. The same applies to FaceTime. Reducing the parsing attack surface that nation-state actors exploit is a direct cost-raising measure.
Enforce rapid mobile patch deployment. Organizations managing corporate or enrolled personal devices should require iOS and Android updates within 72 hours of release. A significant percentage of successful mobile exploits target vulnerabilities for which patches already exist.
Audit messaging app permissions and usage. WhatsApp, Telegram, and Signal each carry different risk profiles. Organizations should inventory which messaging apps employees use for business communication and apply data classification policies accordingly.
Assume mobile compromise for sensitive operations. For meetings involving genuinely sensitive information — M&A discussions, regulatory negotiations, litigation strategy — treat all mobile devices in the room as potentially compromised. Use air-gapped or dedicated devices where the stakes justify it.
Zero-click mobile exploits will not become less prevalent as the market matures — they will become more accessible. The technical barriers to deployment are falling while the commercial infrastructure supporting state-level mobile surveillance has industrialized. 2026 is the year mobile security moves from a footnote in enterprise risk assessments to a board-level discussion.
Frequently Asked Questions
What is mobile zero days?
Mobile Zero Days: iOS and Android Under Sustained Nation-State Attack in 2026 covers the essential aspects of this topic, examining current trends, key players, and practical implications for professionals and organizations in 2026.
Why does mobile zero days matter?
This topic matters because it directly impacts how organizations plan their technology strategy, allocate resources, and position themselves in a rapidly evolving landscape. The article provides actionable analysis to help decision-makers navigate these changes.
How does the exploit brokers work?
The article examines this through the lens of the exploit brokers, providing detailed analysis of the mechanisms, trade-offs, and practical implications for stakeholders.
Sources & Further Reading
- FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild — Citizen Lab
- A Deep Dive into NSO Zero-Click iMessage Exploit: Remote Code Execution — Google Project Zero
- About Lockdown Mode — Apple Security Engineering
- Exploit Acquisition Program — Zerodium
- Forensic Methodology Report: How to Catch NSO Group’s Pegasus — Amnesty Tech
- Predator in the Wires: Targeted with Predator Spyware — Citizen Lab
