In 2021, a journalist’s iPhone became infected with Pegasus spyware without him ever answering the call or clicking a link. Within days, his encrypted messages were being intercepted, his microphone activated remotely during private meetings, and his location tracked in real-time.
This wasn’t an isolated case. Across Africa, and the world, sophisticated surveillance malware is infecting devices through methods so advanced that traditional cybersecurity measures often fail to detect them. From zero-click exploits that require no user interaction to supply chain attacks that compromise trusted software updates, the techniques used by state-sponsored hackers and private surveillance firms are evolving at an alarming rate. Throw in Artificial Intelligence (AI), and we are staring at a barrel of a gun.
In this investigation, we’ll examine exactly how these infections occur, analyse real-world cases from the region, and provide actionable advice for protecting yourself against these invisible threats.
Zero-Click Exploits
The most dangerous malware requires no mistakes from its victims. Zero-click exploits work by sending specially crafted data that triggers vulnerabilities in commonly used apps like WhatsApp, iMessage, or even SMS handlers. When the app automatically processes this data, whether it’s an image, PDF, or call, the malware gains a foothold on the device without any user interaction.
In Uganda during the 2021 elections, opposition members reported receiving suspicious FaceTime calls that rang once and disconnected. Forensic analysis later revealed these were delivery mechanisms for Predator spyware, developed by the commercial surveillance firm Cytrox. The malware gave operators complete access to devices, including the ability to intercept encrypted communications and activate cameras remotely.
Key characteristics of zero-click attacks:
- No clicks, downloads, or interactions required
- Often exploit vulnerabilities in messaging apps
- Leave minimal forensic traces
- Most effective against high-value targets
The market for these exploits is thriving on the dark web, with prices ranging from $50,000 to over $1 million for a single vulnerability. Government agencies and private surveillance companies maintain stockpiles of these zero-day exploits, using them judiciously against high-priority targets. Other exploit brokers like Zerodium & Exodus Intelligence, buy these exploits and sell them to governments and surveillance groups like the NSO.
The Exploit Supply Chain: From Researchers to Spyware
Behind every sophisticated surveillance tool lies a complex ecosystem of vulnerability researchers, exploit brokers, and malware developers. The journey typically begins when security researchers discover flaws in popular software like iOS, Android, or common messaging applications.
Rather than reporting these vulnerabilities through official channels, some researchers sell them to exploit brokers like Zerodium or Exodus Intelligence. These firms act as middlemen, purchasing exploits from researchers and reselling them to government agencies and surveillance companies. NSO Group, the maker of Pegasus spyware, maintains an entire team dedicated to acquiring and weaponizing these vulnerabilities.
In 2019, a critical vulnerability in WhatsApp (CVE-2019-3568) allowed attackers to install spyware simply by calling a target’s number. Forensic evidence suggests this exploit was purchased from a private research firm before being incorporated into Pegasus. The vulnerability was particularly dangerous because it worked even if the call wasn’t answered, and it left no visible traces on the infected device.
Social Engineering: Exploiting Human Psychology
When technical exploits aren’t available or practical, attackers often resort to social engineering – manipulating targets into compromising their own security. These attacks are particularly common in Africa, where awareness of digital threats remains uneven.
One prevalent tactic involves sending fake security alerts. In 2024, some US lawyers received emails purporting to be from the Judiciary’s Case Management/Electronic Case Files (CM/ECF). When opened, these emails would redirect them to a malicious site that would instal malware that gave attackers access to the lawyers’ devices.
Another common approach is impersonation. Attackers might pose as IT support staff, contacting targets with warnings about “security issues” that require immediate attention. In one documented case from Tanzania, journalists received calls from individuals claiming to represent an international press freedom organization, offering “security upgrades” that were actually spyware installers.
Red flags to watch for:
- Unsolicited requests to install software or updates
- Messages creating a false sense of urgency
- Communications that mimic trusted organizations but use slightly altered details
Supply Chain Compromises
Some of the most insidious attacks don’t target individuals directly, but instead compromise the software and services they trust. Supply chain attacks involve infiltrating app stores, software update mechanisms, or even hardware manufacturing processes to distribute malware at scale.
In Uganda during 2023, activists downloaded what appeared to be legitimate VPN apps from third-party stores, only to later discover they contained modified versions of Predator spyware. The apps functioned normally while secretly exfiltrating data and providing remote access to the devices.
Similarly, in Sudan, government-aligned hackers distributed modified versions of WhatsApp that included surveillance functionality. These “WhatsApp mods” were promoted as offering enhanced features but actually served as trojans, giving attackers complete control over infected devices. In Kenya, we have had a craze over WhatsApp GB that offers advanced features over “normal” app. Do we know the underlying technology or what is happening under the hood?
The growing popularity of mobile banking in East Africa has made financial apps another attractive target. Security researchers have identified multiple cases where fake banking apps, nearly indistinguishable from legitimate ones, were distributed through unofficial channels to steal credentials and financial data.
Physical Access Attacks
Not all surveillance requires sophisticated hacking. In many cases, governments simply seize devices during arrests, border crossings, or “routine checks” to install surveillance tools directly.
Egyptian and Nigerian activists have reported numerous cases where phones taken at airport security were returned with spyware installed. The malware often remains dormant for weeks before activating, making detection difficult. In some instances, authorities have used the pretext of “virus scans” or “security inspections” to justify these intrusions.
Device repair shops also present risks. In Kenya, there have been multiple documented cases where phones taken in for screen repairs or battery replacements were returned with surveillance software installed (mostly relevant to spouses against their supposed unfaithful partners but still relevant as an modus operandi on how tracking apps are installed). The malware was typically hidden in system applications, making it difficult for average users to detect.
Protective measures against physical access attacks:
- Use burner devices when crossing borders or attending protests
- Enable full-disk encryption before surrendering any device so that the data, in that encrypted format, will be useless to them
- Consider factory resetting devices after they’ve been out of your possession, or if you have just come from a country known for radical surveillance, especially if you are a person of interest (journalist, activist, human rights advocate).
Network-Based Surveillance
Beyond malware, governments and hackers can conduct extensive surveillance simply by exploiting weaknesses in cellular and internet infrastructure.
IMSI catchers, commonly known as Stingrays, mimic legitimate cell towers to intercept calls, texts, and data from nearby phones. These devices have been deployed in Kenya, Uganda, and Tanzania during political events and protests. Remember the case of Jimi Wanjigi who reported that the government had deployed vehicles with what appeared like antennae at his home? Unlike malware infections, IMSI catchers don’t require any software installation on target devices—they work by exploiting fundamental aspects of how cellular networks operate.
Similarly, vulnerabilities in the SS7 protocol used by telecom networks allow attackers to track locations, intercept SMS messages, and even redirect calls. These flaws have been exploited across Africa to target activists and journalists, with documented cases in Rwanda, Ethiopia, and South Sudan.
Signs of network surveillance:
- Unexpected loss of service in specific locations
- Unusual battery drain in areas with normally good coverage
- Delayed or undelivered text messages
Defending Against Surveillance Malware
Protecting against these threats requires a layered approach combining technical measures with behavioural changes.
For high-risk individuals, using purpose-built secure devices like those running GrapheneOS (for Android) or enabling Lockdown Mode on iOS can significantly reduce vulnerability to zero-click exploits. These operating systems remove unnecessary features that attackers often exploit while maintaining strong security defaults.
Regular software updates remain crucial, as they patch known vulnerabilities that attackers might exploit. However, users should be cautious about when and how they install updates, as compromised networks or app stores might distribute malicious updates.
Essential security practices:
- Use a reputable VPN when connecting to public Wi-Fi
- Enable two-factor authentication using hardware tokens rather than SMS
- Regularly audit installed applications and remove unnecessary ones
- Monitor devices for signs of unusual behaviour like overheating or battery drain
For those who suspect they may be targeted, tools like Mobile Verification Toolkit (MVT) can help identify signs of compromise. Developed by Amnesty International’s Security Lab, MVT has been used to detect Pegasus infections on numerous devices across Africa.
Conclusion
By understanding how these infections occur—whether through zero-click exploits, social engineering, or physical access—individuals can make informed decisions about their digital security. The key is remaining vigilant without becoming paralysed by fear, implementing practical protections while continuing essential work.
Discover more from Jones Baraza
Subscribe to get the latest posts sent to your email.
