Spyware is malicious software that secretly installs on a device to monitor activity and exfiltrate data without the user's knowledge or consent. It can capture passwords, browsing history, financial details, location, microphone audio, camera video, and screen contents. Spyware exists across all platforms — Windows, macOS, Linux, Android, iOS — and ranges from commercially-available adware to nation-state-grade tools like Pegasus and Predator. In 2026, the line between spyware and infostealer malware has blurred — products like RedLine, Lumma, and Vidar are sold as Malware-as-a-Service (MaaS) and steal credentials at industrial scale.

Six common categories: (1) **Keyloggers** — record every keystroke, capture passwords and messages, (2) **Infostealers** (RedLine, Lumma, Vidar, Raccoon) — steal browser passwords, cookies, crypto wallets, files; sold as MaaS, fuelling massive credential leaks 2024-2026, (3) **Adware** with tracking — bundled with free software, monitors browsing for ad targeting, (4) **Mobile spyware** (FlexiSpy, mSpy, Cocospy) — sold as 'parental control' or 'employee monitoring', often abused by stalkers, (5) **Stalkerware** — narrower category aimed at intimate partner surveillance, (6) **Nation-state spyware** (Pegasus by NSO Group, Predator by Intellexa, Reign by QuaDream) — zero-click installation, full device compromise, used against journalists, activists and dissidents.

Five high-profile cases: (1) **Pegasus (NSO Group)** — Israeli spyware sold to governments, used against journalists and dissidents worldwide; documented victims include WhatsApp/iMessage zero-clicks, EU politicians, US State Department officials, (2) **Predator (Intellexa)** — competitor to Pegasus, used in Greece, Egypt and elsewhere, (3) **FinFisher / FinSpy** — German-made commercial spyware, retired in 2022 after company insolvency, (4) **Pegasus zero-click via iMessage (FORCEDENTRY 2021)** — required no user interaction, prompted iOS 14.8 emergency patch, (5) **RedLine Stealer** — commodity infostealer responsible for billions of leaked credentials since 2020, primary fuel for credential-stuffing attacks. Citizen Lab and Amnesty International maintain ongoing research on commercial spyware abuses.

Six common vectors: (1) **Phishing emails or messages** with malicious attachments or links, (2) **Drive-by downloads** from compromised websites, (3) **Bundled with free software** — pirated apps, fake utility tools, dubious browser extensions, (4) **Malicious mobile apps** disguised as games, productivity, or 'security' tools (especially outside official app stores), (5) **Physical access** — someone installs stalkerware while having brief access to the unlocked device, (6) **Zero-click exploits** — nation-state spyware like Pegasus delivered via iMessage, WhatsApp or SMS without any user interaction. Mobile spyware on iOS requires either zero-click exploit or jailbreak; Android allows easier sideloading, increasing risk.

Detection: (1) Slow performance, unusual battery drain, hot device when idle, (2) Unfamiliar apps in installed list, especially with system-like names, (3) Mobile data usage spike (spyware exfiltrates data), (4) Permissions abuse — apps with mic/camera/SMS/contacts access without good reason, (5) **Specialised tools**: MVT (Mobile Verification Toolkit) for Pegasus on iOS/Android, iVerify, Lookout, Zimperium, Malwarebytes Anti-Malware. Removal: (1) On Android: Safe Mode + remove suspicious apps, factory reset for confirmed infection, (2) On iOS: update to latest iOS, restore from clean backup, in extreme cases iCloud-only restore (never restore from backup that may contain spyware), (3) On desktop: full EDR scan, then clean reinstall for confirmed advanced spyware. Change all passwords from a clean device after spyware confirmed.

Layered defence: (1) **Modern endpoint protection** with behavioural detection (CrowdStrike, Microsoft Defender, SentinelOne, Sophos), (2) **Update OS and apps promptly** — most spyware exploits known CVEs, (3) **Don't sideload Android apps** — install only from Google Play; on iOS, App Store only, (4) **Audit app permissions regularly** — revoke mic/camera/location for apps that don't need them, (5) **Phishing-resistant MFA on every account** — limits damage from stolen credentials, (6) **Be cautious with browser extensions** — they have wide access; install only well-known, audited extensions, (7) **For high-risk users** (journalists, activists, executives) — use Apple's Lockdown Mode, Google's Advanced Protection Program, dedicated burner devices. Cyber insurance and incident response retainer for organisations.

Yes — mobile is the most personal device, contains the most sensitive data (location, contacts, messages, banking, biometrics, MFA codes), and is the primary target for nation-state spyware in 2024-2026. iOS has historically been more secure due to App Store review and tighter sandboxing, but high-profile zero-click exploits (Pegasus FORCEDENTRY 2021, BLASTPASS 2023) prove no platform is immune. Android offers more flexibility (sideloading) at the cost of higher risk. Recommendations for high-risk users: (1) Use latest iOS or Pixel with monthly security updates, (2) Apple Lockdown Mode for critical use cases, (3) Restart device daily (some spyware doesn't survive reboot), (4) Avoid clicking links in messages, (5) Compartmentalise — separate phone for sensitive activities. For organisations: deploy MDM/UEM with mobile threat defense (MTD).