The tabloids were just after scoops, but criminals can use the same techniques to do more damage. “If successfully verified, the attacker convinces the phone carrier to transfer the victim’s phone number to a device they possess, in what’s known as a SIM swap,” says Adam Kohnke, information security manager at the Infosec Institute. “Calls, texts, and access codes — like the second-factor authentication codes your bank or financial providers send to your phone via SMS — now go to the attacker and not you.”
Gaining physical access to your phone
One of the most obvious — but overlooked — ways to install malware on someone’s phone is to do it manually, once you gain physical access to their device. This is of particular importance in domestic violence or stalking scenarios, but it is used for corporate espionage as well.
“When someone has physical access to a device, the risk landscape changes significantly,” says Polygaurd’s Badiyan. “Tools like FlexiSPY, mSpy, or Xnspy can be installed quickly and run silently, capturing text messages, call logs, GPS location, and even activating microphones or cameras without user awareness. For corporate espionage, malicious configuration profiles (especially on iOS) or sideloaded APKs (on Android) can be deployed to reroute data, manipulate network traffic, or introduce persistent backdoors. There are also hardware-based threats: malicious charging cables, keyloggers, or implanted devices that can exfiltrate data or inject malware. However, these tend to be less common outside of high-value targets.”
