Most people picture mobile surveillance the same way: a target clicks a malicious link, spyware installs, and an attacker gains access. It's a tidy mental model. It's also increasingly incomplete.
On April 23, 2026, two separate cybersecurity investigations were published — one from the UK's National Cyber Security Centre, co-signed by intelligence agencies from 15 countries including the US, Spain, Germany, and Japan; the other from the Citizen Lab at the University of Toronto. They were researched independently. They arrived on the same day. And together, they describe a threat landscape that is significantly more sophisticated than the "don't click suspicious links" playbook accounts for.
The two reports address different layers of the same problem.
The first layer is infrastructure. For years, sophisticated attackers maintained dedicated servers to launch cyberattacks — servers that could be identified, traced, and blocked. That era is over. According to the NCSC advisory, China-linked threat actors have systematically shifted to building covert networks out of compromised everyday devices: home routers, smart cameras, network storage drives. Hundreds of thousands of them, globally. When an attack originates from one of these devices, it looks like ordinary internet traffic from an ordinary location. Traditional defenses — IP blocklists, geographic filters — have limited effect against an attack surface that could span any residential broadband connection in the world.
The second layer is the mobile network itself. The Citizen Lab's investigation, titled Bad Connection, documents something that will be unfamiliar to most readers outside the telecommunications industry: the global system that connects mobile carriers to one another — allowing your phone to work when you travel internationally — was built on trust, not verification. Carriers exchange location signals. They route calls and messages across networks. And the protocols that govern this exchange, some of which are decades old, contain no meaningful mechanism to confirm that the entity sending a query is who it claims to be.
Attackers have built commercial platforms to exploit exactly this. By impersonating legitimate carrier networks within the global signaling system, surveillance actors can query: where is this phone right now? No app is installed. No link is clicked. The target's device is never touched. The Citizen Lab documented a four-hour operation in which a single individual — described as a "VVIP" — was tracked across eleven carrier identities in nine countries, with the attacker systematically switching between protocols each time a defensive layer blocked their path.
A second campaign in the same report went further: a hidden SMS message, invisible to the user and carrying no notification, was designed to silently instruct the target's SIM card to report its location back to attacker-controlled infrastructure. The user would have seen nothing. The phone would have appeared normal.
Both reports are explicitly addressed to government bodies, critical infrastructure operators, and defense organizations — the same entities that have the most to lose from targeted surveillance and the highest responsibility to protect sensitive communications.
The NCSC advisory was co-signed by Spain's National Cryptologic Centre (CCN), Germany's federal intelligence and security services, and the NSA, FBI, and CISA. This is not a theoretical research exercise. These are operational warnings from agencies with direct visibility into active campaigns.
What makes these findings significant isn't any single technique in isolation. It's the layered nature of the threat. Covert networks conceal who is attacking. Telecom-layer surveillance locates the target. Device-level spyware, when deployed, completes the operation. These are not three separate threat actors — they can be three phases of a single, coordinated campaign.
In our upcoming posts, we'll go deeper on each report — what the NCSC advisory actually recommends for organizations defending against covert network attacks, and what the Citizen Lab findings mean for anyone responsible for protecting high-value individuals.
The short version: the threat to mobile communications is real, it is active, and it operates in layers that most mobile security thinking has not yet caught up with.
Subscribe to the blog today to ensure you receive the latest updates from Sotera Digital Security.