Graphite, Pegasus, Predator: Why Commercial Spyware Keeps Working — and What Actually Stops It

In January 2025, WhatsApp notified approximately 90 users that their devices had been targeted with Graphite, a surveillance tool developed by Israeli firm Paragon Solutions. The targets included journalists, humanitarian workers, and civil society activists across two dozen countries. By April, forensic analysts at the Citizen Lab at the University of Toronto had confirmed what Apple's own security team had already identified: iPhones running fully current software had been compromised. The patch that followed — iOS 18.3.1, assigned CVE-2025-43200 — closed that particular exploit. It did not close the category.

Graphite is not an outlier. It is a representative product from a mature, well-capitalized commercial industry whose central business proposition is finding and exploiting vulnerabilities in iOS and Android before Apple and Google do. The patch cycle is a feature of that model, not a solution to it.

The Zero-Click Exploit: What It Means in Practice

The term "zero-click" has become common enough in security reporting that it risks losing its meaning. It means this: the target did nothing wrong.

No link was clicked. No file was opened. No app was installed. In the iMessage cases confirmed by Citizen Lab in 2025, infection occurred when a specially crafted message arrived at the device. The target did not need to open it, see it, or interact with it in any way. The iOS subsystem that processed the incoming data contained a vulnerability. Graphite exploited it. The device was compromised before the user was aware a message had arrived.

A separate delivery vector used WhatsApp's processing pipeline in a comparable way. WhatsApp disrupted the campaign in December 2024 and issued a cease-and-desist letter to Paragon. The cease-and-desist is not a technical control.

The operational implication is significant: security behavior — strong passwords, careful link hygiene, updated software — provides no protection against a well-implemented zero-click exploit. The attack surface is the operating system's handling of incoming data. The user is not part of the equation.

What Graphite Can Do Once Inside

In February 2026, Paragon's general counsel posted screenshots from the Graphite operator control panel to LinkedIn. The images were captured by security researchers before they were removed. They showed active interception logs, real-time session data, and monitoring interfaces for encrypted messaging applications including WhatsApp and Signal.

This is the core capability that makes Graphite — and tools like it — categorically different from network interception. Graphite operates on the device itself, reading messages before they are encrypted on send and after they are decrypted on receipt. The encryption is never defeated. It is simply bypassed.

Confirmed capabilities documented across forensic analyses include: messages from encrypted applications, call logs, photographs, contacts, GPS location data, and access to the microphone and camera. Anyone who communicated with a compromised device also had those communications exposed — making colleagues, sources, and counterparts indirect victims of an infection they had no way to detect or prevent.

Paragon has marketed Graphite as a narrower tool than NSO Group's Pegasus — access to messaging applications rather than full device control. The distinction did not survive the LinkedIn leak, which showed comprehensive device-level access. Independent researchers at Citizen Lab have noted the same: once spyware achieves OS-level persistence, the scope of access is determined by the operator's decisions, not the vendor's product positioning.

Why Consumer Devices Cannot Be Made Secure Against This Threat

This is the part of the analysis that does not appear often enough in coverage of individual spyware incidents.

iOS and Android are general-purpose consumer operating systems. They were designed to run a near-unlimited variety of applications, process data from arbitrary external sources, maintain always-on connectivity, and remain easy to use for a global population of non-technical users. These are legitimate design goals. They produce devices that billions of people rely on effectively.

They also produce an attack surface that is, by architectural necessity, enormous. Every application that can be installed is a potential attack vector. Every system process that handles incoming data — messages, calls, notifications, images — is a target for vulnerability research. Every developer API that allows apps to communicate is a potential exploitation pathway. iOS and Android are not insecure because Apple and Google are negligent. They are structurally exposed because their design requirements and security requirements exist in fundamental tension.

Commercial spyware vendors exploit that tension professionally. Google's Threat Analysis Group is currently tracking more than 40 companies in this market. In January 2025, the then-head of the U.S. government's counterintelligence agency stated that nearly 100 nations have purchased advanced mobile spyware. The capability that once required the resources of a nation-state intelligence service is now a procurement line item.

Software updates address specific, known vulnerabilities. They do not change the underlying architecture. A patched version of iOS is still iOS — a general-purpose consumer OS, processing incoming data from arbitrary sources, presenting the same category of attack surface to the next exploit in development.

What a Different Architecture Looks Like

The Sotera SecurePhone does not run iOS or Android. It runs Green Hills Software Integrity 178B, a real-time operating system deployed in fighter aircrafts, the U.S. nuclear infrastructure, and NASA/DOD space systems. It is not a hardened version of a consumer device. It is a purpose-built secure communications device designed from the silicon up for a specific and narrow function: encrypted voice and messaging between authorized parties.

The implications for Graphite's delivery vectors are direct. The iMessage zero-click exploit targets iOS's handling of incoming iMessage data. iMessage does not run on the SecurePhone. The WhatsApp exploit targets WhatsApp's processing pipeline. WhatsApp is not installed on the SecurePhone, and cannot be — there is no app installation capability by design.

More fundamentally, all incoming data on the SecurePhone is received and processed within an isolated sanitation compartment before it reaches any other part of the system. Any decoding failure is treated as a contamination event: all systems that interacted with the data are sanitized. Data reaches the clean system areas only after validation. This architecture is not a setting. It cannot be disabled. It is how the device processes the world.

Wi-Fi, Bluetooth, and USB data connections are disabled by design. There is no cloud backup, no diagnostic upload, no data sharing capability. One documented Graphite technique involves harvesting cloud backups — there are no backups to reach.

The SecurePhone was validated by Netragard, a security assessment organization with a track record of U.S. Government and enterprise engagements. Validated claims include: voice streams and messages between two SecurePhones cannot be intercepted or decrypted by a third party; rogue software cannot be remotely downloaded or executed; user data on flash storage cannot be remotely altered.

In 2024, the Sotera SecurePhone was included in the CPSTIC Catalogue published by Spain's National Intelligence Centre (CNI), authorizing its use by Spanish public entities.

The Correct Frame

Media coverage of individual spyware incidents tends toward the same narrative structure: a specific tool, a specific victim, a specific government client, a specific patch. That structure is accurate but incomplete. It implies that the problem is the particular exploit — that better patch management, more attentive security teams, or the right policy framework will resolve it.

The confirmed pattern across Graphite, Pegasus, Predator, and the broader class ofcommercial mercenary spyware is more consistent than that: sophisticated, well-resourced operators continuously develop new exploit chains against iOS and Android. Each is patched. The next one is already in development.

The device architecture that makes those operating systems useful to billions of people is the same architecture that makes them permanently vulnerable to this class of attack. That is not a solvable problem within the iOS and Android paradigm.

For individuals whose communications represent intelligence value to a state-level adversary — senior officials, executives in sensitive negotiations, legal counsel, journalists covering matters of national security — the relevant question is not which consumer device is most secure. It is whether a consumer device is the right category of device at all.