Spyware: when the State outsources the spying on your phones
ANSSI has just released a detailed report on the threat targeting mobile phones. It covers vulnerabilities, "zero-click" infection chains, cybercriminals... but also a private surveillance market that sells spying capabilities...

ANSSI has just released a detailed report on the threat targeting mobile phones. It covers vulnerabilities, "zero-click" infection chains, cybercriminals... but also a private surveillance market that sells spying capabilities to States, some with little regard for civil liberties.
Translation: the spying on your smartphone is partly outsourced to dealers of digital weapons. And that deserves a real political debate, not just a set of best-practice sheets.
In my book Être en cybersécurité, I actually devoted an entire chapter to the risks tied to the use of your mobile phones.. For many reasons, I am delighted to see this alignment with ANSSI; but what exactly does this report say?
A quiet admission: surveillance has become an industry
In the report, ANSSI explains very clearly that mobile intrusion capabilities are no longer reserved for a handful of ultra-tech intelligence services.
Since the 2010s, we have seen the rise of private "offensive cyber operations" companies (LIOP) that develop, package and sell turnkey spying tools to governments, to their intelligence services, and even to para-public bodies.
Concretely, these outfits offer:
- highly intrusive spyware (Pegasus & co type), capable of taking control of a phone with no action from the user;
- hijacked ad-profiling services (ADINT), which exploit online advertising to track, geolocate and target individuals or groups;
- solutions that rely on internet service providers (ISPs) to inject malicious code directly into network traffic;
- more "consumer" tools for businesses and individuals: stalkerware, surveillance suites, etc.
We are no longer in the cliché of the "hacker in his garage".
We are in an industrial ecosystem with product catalogs, trade shows, commercial demos, multi-year contracts and, inevitably, lobbying.

The comfortable hypocrisy of States
The most troubling part is the double standard.
On one side, ANSSI warns, rightly, about:
- the uncontrolled proliferation of these tools;
- their irresponsible use against opponents, journalists, NGOs, business leaders;
- the risk that these capabilities leak or get reused by other actors (third-party States, cybercriminals, paramilitary groups).
On the other side, those same States:
- buy these solutions for millions of euros;
- take advantage of the legal gray area to run operations that would be politically hard to own if they were carried out "in-house";
- hide behind a form of denial: "we are responsible, it's the others who abuse them".
The report also mentions the Pall Mall Process, a Franco-British initiative meant to govern the use of these tools by States. Very fine on paper. But at bottom, we remain within the following logic:
"We keep the right to buy software weapons, we just ask others to be nice about it."
We know the tune: we have already seen this with conventional arms sales, with mass-surveillance technologies, with certain intelligence decisions.
We create a market, we feed it, then we pretend to be surprised when it spills over.
When your phone becomes a geopolitical weapon
What ANSSI describes, without daring to say it quite so bluntly, is this:
a compromised smartphone is a neutralized individual.
The campaigns cited in the report show that these tools serve to:
- track elected officials and senior civil servants, notably on their personal phones;
- spy on the leadership of strategic companies, and therefore influence economic and industrial choices;
- monitor opponents, journalists, rights defenders, sometimes abroad, sometimes at home;
- conduct economic intelligence: understand who talks to whom, when, in what context.
And behind this, it is not only about major powers.
Middle-tier States, which have neither the culture nor solid democratic safeguards, end up with eavesdropping and intrusion capabilities worthy of a major intelligence agency.
We are literally selling "turnkey political police services" to whoever can pay.
What was once reserved for the top of the range becomes a catalog product.
And once the technology exists, it always ends up being used beyond what was officially intended.

The real risk: the normalization of the exceptional
What worries me most is not only the technology.
It is the way we are normalizing the exceptional.
A few years ago, a State that planted a mic in an opponent's bedroom took an enormous political risk.
Today, all it needs to do is compromise their phone: no search warrant, no physical trace, and the ability to capture everything, sound, image, messages, contacts, remotely.
The political danger is right there:
- what should be an absolute exception, strictly governed (and even then), becomes an almost routine operation;
- democratic oversight is two wars behind: judges, members of parliament, and oversight authorities have neither the technical means nor, sometimes, the political will to dig into these subjects;
- part of the state apparatus is getting used to this convenience: "why investigate at length when a phone infection can tell us everything?".
This is exactly the kind of drift I describe in Être en cybersécurité: we invoke security, terrorism, the fight against organized crime, but along the way we install tools that could one day very well serve to monitor social, economic or political dissent.
What to do? Three levels of response
We are not going to wait for a sudden revelation from governments to react. There are at least three levels to work on.
1. Individual: stop playing naive
No, you are not "too small" to be of interest to anyone.
You can be targeted indirectly:
- because you work in a strategic company;
- because you are close to an elected official, a decision-maker, a journalist;
- because your phone can serve as a pivot toward other systems.
So yes, you have to raise the baseline:
- separate work and personal use as much as possible;
- update, restart and clean your phone regularly;
- limit apps, permissions, and hyper-intrusive "free" services;
- learn to react when in doubt (do not tinker with everything, contact professionals, etc.).
That is exactly what I lay out, step by step, in Être en cybersécurité: simple reflexes, usable by everyone, without jargon.
2. Collective: demand real red lines
On the political side, we have to stop with the half-measures.
A few simple avenues:
- clearly ban certain uses (surveillance of protected categories, sales to non-democratic regimes, etc.);
- impose minimal transparency on public procurement of these tools;
- genuinely strengthen the checks and balances: oversight authorities, judges, parliamentary committees equipped with technical means.
We cannot, on one side, explain that these tools threaten democracy and, on the other, keep buying them in total secrecy.
3. Cultural: put technology back in its place
A last point, more political: we have to break out of this technocratic fascination that consists of believing there is a technical solution to everything.
The question is not only:
"Can we spy on this phone within the bounds of the law?"
It is also:
"Is it legitimate, proportionate, compatible with a free society?"
As long as this debate stays confiscated by a few experts, lawyers and techies, we will keep piling up tools in the name of security, all while widening the gap with liberties.
In closing
This ANSSI report has one merit: it finally puts down in black and white the scale of the threat to mobile phones and acknowledges the existence of a global private surveillance market.
It is now up to us to make something of it:
- by protecting ourselves better, individually;
- by applying pressure, collectively, to obtain clear red lines;
- by refusing this normalization of the exceptional that turns our smartphone into a State snooping device outsourced to private companies.
Questions fréquentes
What is an offensive cyber operations company (LIOP)?
These are private companies that emerged from the 2010s onward and that develop, package and sell turnkey spying tools to governments, intelligence services or para-public bodies.
Do you have to be an important target to be affected?
No. You can be targeted indirectly: because you work in a strategic company, because you are close to an elected official or a journalist, or because your phone can serve as a pivot toward other systems.
Does the Pall Mall Process solve the problem?
Not really. This Franco-British initiative meant to govern the use of these tools remains, according to the article, within the logic of 'we keep the right to buy software weapons, we just ask others to be nice about it'.
What individual reflexes should you adopt in the face of this threat?
Separate work and personal use, update, restart and clean your phone regularly, limit apps and permissions, and know how to react when in doubt by contacting professionals rather than tinkering.

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
