SPYWARE & COMPROMISED DEVICES.

Mobile security and compromise detection

When a device is compromised

How remote access Trojans, spyware and advanced surveillance technology can affect phones, tablets, Windows laptops and MacBooks—and why encryption alone cannot make an infected endpoint trustworthy.

Remote access Trojans Mobile spyware Endpoint security Updated July 2026
The endpoint is part of the security boundary

A secure message can still be exposed on an insecure device

Phones and computers hold private communications, passwords, photographs, financial information, documents, location history and access to cloud accounts. Encryption protects much of this information while it is stored or travelling between systems, but the authorised application must eventually display or process it in readable form.

Video explanation

Encryption cannot make a compromised endpoint trustworthy

In this short video, we explain the central issue: if a remote access Trojan or sufficiently capable spyware is already operating on a device, it may access information before encryption is applied or after the legitimate application has decrypted it.

This does not mean that encryption is useless. End-to-end encryption remains essential for protecting messages from network interception, service intermediaries and many other threats. The limitation is that encryption protects the communication channel; it cannot guarantee that either endpoint is free from malicious software.

View the video on Instagram
Understanding the encryption boundary

Encryption protects data in specific states

Malware does not always need to defeat an encryption algorithm. It may instead target the operating system, application, screen, keyboard, microphone, account session or readable information surrounding the encrypted channel.

01

Data at rest

Device and file encryption protect stored information, particularly when a phone or computer is powered off, locked, lost or stolen.

02

Data in transit

Transport encryption and end-to-end encryption protect information while it travels between authorised devices and services.

03

Data in use

The device must decrypt information to display, edit, hear or process it. Malware with sufficient access may target this readable state.

!
The cryptography may remain completely unbroken

An attacker may capture keystrokes before a message is encrypted, record the screen after it is decrypted, read notifications, steal authenticated session information or remotely operate the legitimate application as the signed-in user.

Unauthorised remote control

What is a remote access Trojan?

A remote access Trojan, commonly shortened to RAT, is malicious software that creates unauthorised access to a phone, tablet or computer. It may disguise itself as a legitimate application, document, browser extension, update or installation package.

Once active, the malware may connect to an attacker-controlled command-and-control service. The attacker can then issue commands, retrieve information, install additional components or attempt to maintain access after the device restarts.

Legitimate remote-support applications can also be abused. The important questions are whether the software was knowingly installed, whether the owner gave informed permission and whether unattended access has been configured.

Input and credential capture

Recording keystrokes, clipboard content, login details or information entered into applications and websites.

Screen and application monitoring

Capturing screenshots, recording the display or observing information shown inside messaging and financial applications.

Microphone, camera and location access

Attempting to activate sensors or collect location information when permissions or operating-system exploits allow it.

File collection and additional malware

Searching for documents, photographs and application data or downloading further malicious components.

Remote commands and persistence

Running commands, changing settings, creating background services or attempting to restore access after a restart.

Initial access

How malicious access can begin

Not every compromise requires a sophisticated zero-day exploit. Many incidents begin with social engineering, unsafe applications, stolen credentials or the abuse of legitimate remote-access features.

Malicious messages and attachments

Fraudulent emails, messaging links, documents or compressed files may persuade the recipient to open or install malicious content.

Fake applications and updates

Malware may imitate a legitimate utility, security update, streaming application, game, browser extension or business tool.

A

Unsafe Android installation files

Applications installed from untrusted APK files may request extensive permissions or conceal unwanted surveillance features.

Abused remote-support software

Criminals may persuade a person to install legitimate remote support software and then configure unattended access.

Account or cloud compromise

A device may appear compromised when the attacker has actually taken control of email, cloud storage, backups or account sessions.

Software vulnerability exploitation

Advanced attackers may exploit flaws in an operating system, browser, messaging application or media-processing component.

Different platforms, different attack paths

How phones, tablets and computers can be affected

Sandboxing, application permissions, software distribution and hardware security controls differ between operating systems. The investigation method must therefore be appropriate for the affected platform.

iOS and iPadOS

Apple restricts applications through code signing, sandboxing, permissions and controlled software distribution. An ordinary application therefore does not normally receive unrestricted access to the entire device.

Incidents may instead involve stolen Apple Account credentials, malicious links, deceptive applications, configuration or management profiles, physical access, or an exploit chain that escapes the normal security boundaries.

Important: unusual behaviour alone does not prove that an iPhone contains Pegasus or another advanced implant. High-confidence conclusions require appropriate forensic evidence.

Android phones and tablets

Android malware may arrive through deceptive applications, unofficial APK downloads, fake updates, malicious links or compromised software. Some attacks persuade the user to grant powerful permissions rather than exploiting Android directly.

Accessibility access, notification access, device-administrator privileges, screen-capture consent, VPN configuration and permission to install unknown applications can all be abused.

Review the full permission chain: an application may appear simple while holding the ability to read notifications, observe the screen or operate other applications through Accessibility services.

Windows laptops and desktops

Windows RATs may be delivered through malicious attachments, pirated software, fake installers, fraudulent updates, script files, compromised accounts or additional malware already present on the system.

Depending on its privileges, malware may capture the screen, record input, access browser information, run commands, manipulate files and install further payloads.

Remote access is not automatically malicious: legitimate support products should still be investigated when they appear unexpectedly or are connected to an unknown account.

macOS

macOS malware may arrive through malicious applications, fake updates, browser downloads, deceptive disk images, modified software or social engineering that persuades the user to bypass security warnings.

An attacker may seek Accessibility, Screen Recording, Full Disk Access, automation or administrative privileges. Legitimate Screen Sharing and remote-management tools may also be abused.

Permission prompts are security boundaries: unexpected requests for screen recording, accessibility control or full-disk access should be investigated.
Related threats are not identical

RATs, spyware, stalkerware and mercenary spyware

These terms overlap, but they describe different capabilities, attackers and levels of sophistication. Correct classification helps determine the risk and the appropriate response.

01

Remote access Trojan

Malware that provides unauthorised remote control, command execution or interactive access to a compromised device.

02

Spyware

Software designed to collect communications, location, credentials, files or activity without informed consent.

03

Stalkerware

Surveillance software often installed by someone with physical access or knowledge of the victim's device and accounts.

04

Mercenary spyware

Highly resourced commercial surveillance technology used against a small number of selected, high-value targets.

Advanced targeted surveillance

Where Pegasus fits into the picture

Pegasus should be described as advanced mercenary spyware rather than an ordinary consumer RAT. Investigations have documented its use against selected journalists, activists, lawyers, political figures and other high-risk individuals.

Researchers have documented interaction-based attacks and zero-click exploit chains in which the target did not need to open a link or knowingly install an application. A successful exploit may attempt to escape normal application restrictions and obtain access beyond that available to an ordinary app.

This is a different threat model from an unsafe Android APK or a Windows RAT delivered through an email attachment. The targeting, resources, exploit capabilities and forensic difficulty are substantially higher.

Keep the risk proportionate. Most people will never be targeted by Pegasus-class spyware. Battery drain, overheating or one unusual event cannot establish this level of compromise.
Indicators, not a diagnosis

Possible signs that deserve investigation

Sophisticated malware may produce no obvious symptoms. Other symptoms can have innocent explanations, so an assessment should consider several independent artefacts rather than relying on one observation.

Unknown applications or profiles

Apps, management profiles, VPN settings or certificates that the owner does not recognise.

Unexpected permission changes

New Accessibility, notification, microphone, camera, screen recording or full-disk permissions.

Account-security alerts

Unknown sessions, new devices, password-reset attempts or authentication prompts.

Unexpected remote-access software

Remote-control services or unattended-access settings that were not knowingly configured.

Actions not performed by the owner

Sent messages, purchases, account changes or settings altered without permission.

Verified security notifications

Apple threat notifications, Google warnings, antivirus findings or enterprise alerts should be assessed promptly.

Unexpected sensor activation

Camera or microphone indicators appearing without an obvious trusted application using them.

Unexplained network activity

Significant or unusual data transfer when the device would normally be inactive.

Repeated crashes or instability

Unexpected restarts or application failures that occur alongside other security indicators.

Symptoms are not proof of compromise. Battery drain, heat, poor performance, pop-ups and high mobile-data usage can be caused by legitimate applications, battery ageing, software faults or normal background activity.
Respond without unnecessarily destroying evidence

What to do when compromise is suspected

1

Use a separate trusted device

Conduct sensitive conversations and contact support from another device that is not linked to the suspected compromise.

2

Record what happened

Note dates, times, messages, unusual behaviour, account alerts and people who had physical access to the device.

3

Preserve relevant notifications

Retain original emails, screenshots and security warnings. Verify important alerts through the provider's official service.

4

Decide whether evidence is required

A factory reset may remove useful forensic traces. Obtain advice before wiping the device when evidence or attribution matters.

5

Contain immediate risk

Stop using the suspected device for sensitive work and isolate it from networks when active data loss or personal danger is a concern.

6

Secure connected accounts

From a trusted device, review email, cloud, mobile-network and financial accounts and revoke unknown sessions.

Safety and evidence can require different actions. When immediate harm is possible, protecting the person and their accounts takes priority. When an evidence-led investigation is required, avoid installing numerous scanner apps, repeatedly changing settings or resetting the device before obtaining advice.
Reducing the opportunity for compromise

Practical security measures

No single control eliminates every threat. Effective protection combines operating-system security, application controls, account protection, physical security and informed user behaviour.

Install updates promptly

Keep the operating system, browser, messaging applications and security tools on supported versions.

Use trusted software sources

Avoid cracked software, unknown APK files, fake updates, unverified profiles and applications sent through unsolicited links.

Review powerful permissions

Check Accessibility, device administration, notification access, screen recording, VPN, microphone and camera permissions.

Protect accounts separately

Use unique passwords, passkeys or strong multifactor authentication and review active sessions and recovery methods.

A

Keep Google Play Protect enabled

Android users should retain Play Protect and remove unnecessary, untrusted or unexpectedly installed applications.

L

Consider Apple Lockdown Mode

People facing an elevated risk of highly sophisticated targeted attacks can consider Apple's optional Lockdown Mode.

Separate sensitive work

Keep sensitive communications and client work separated from ordinary browsing, personal apps and untrusted downloads.

Protect physical access

Use a strong passcode, short automatic-lock period and secure storage. Do not share unlock credentials.

Maintain protected backups

Keep recoverable backups and test recovery procedures before a security incident makes them urgently necessary.

Mobile forensics and compromise detection

When reassurance requires evidence

A professional mobile-security examination can review suspicious applications, profiles, permissions, account artefacts, available system records, known indicators of compromise and security weaknesses that may have enabled unauthorised access.

The appropriate method depends on the device, operating-system version, symptoms, threat model and whether evidence must be preserved. Findings should distinguish confirmed evidence from suspicion and normal device behaviour.

iPhone, iPad and Android security assessment
Application, permission and configuration review
Indicator-led forensic examination where appropriate
Clear findings and practical security recommendations
Confidential handling of device and client information
Concerned about a device?

Request a confidential discussion before resetting, replacing or making major changes to the phone.

Request a confidential check info@espionic.co.uk
Forensic limitation: no examination can guarantee that every possible form of compromise will be detected. Advanced malware may remove traces, operate temporarily in memory, exploit areas unavailable through a standard backup or leave artefacts that are not yet publicly understood. The absence of a known indicator is not proof that compromise never occurred.
Primary and technical sources

Official references

Threat capabilities and operating-system protections change over time. Current vendor guidance and primary forensic research should be consulted before making security or evidential decisions.

Espionic Technologies

Defensive guidance for private clients, organisations and authorised digital-security and forensic teams.

Next
Next

Choosing The Right Operating System.