Your phone knows everything about you, but so does the attacker

Your phone knows everything about you, but so does the attacker cover

Mobile devices have become the most information-dense objects most people carry. Location history, communication patterns, work calendars, access credentials, sensitive documents: it is all there, on a device that fits in a jacket pocket and connects to dozens of networks each day. For a while, the security industry treated this as a consumer problem. That framing is no longer defensible.

Attacks on smartphones increased 29% year-over-year in 2025, following a surge of 52% in 2023 alone, 33.8 million infections, up from 22 million the year before, says Businesswire. Malware, financial trojans, and advanced spyware are all showing double-digit growth. Enterprise iPhones are targeted at twice the rate of consumer devices. And the most sophisticated actors are no longer waiting for a user to click anything.

Zero-click is not science fiction

The category of attack that demands the most attention is the zero-click exploit: a compromise that requires no action from the target whatsoever. Pegasus, the spyware developed by NSO Group, has been confirmed on both iOS and Android using zero-click delivery methods. The target does not open a link, does not download a file, does not respond to a message, which means that the device is compromised before the user has any opportunity to notice.

Seventy-four governments have contracted commercial spyware since 2011. The targets have included politicians, diplomats, journalists, lawyers, and senior executives, exactly the profiles of people who carry sensitive organizational information on their phones daily. The assumption that endpoint detection or user training provides meaningful protection against this class of attack is incorrect. You can’t train someone to avoid clicking on something that was never sent to them.

The architecture of the problem

Modern smartphones are extremely complex systems. A single device contains a cellular modem running its own firmware, a baseband processor operating largely outside the control of the main OS, a SIM card with its own execution environment, Bluetooth and NFC stacks, GPS hardware, biometric sensors, and dozens of third-party libraries running inside every application. Each of these components represents a distinct attack surface, and most of them are invisible to the person holding the device.

The challenge for organizations is that this complexity is not incidental. It is the product of two decades of consumer-driven design in which usability and functionality were the primary optimization criteria. Security was addressed reactively: a patch here, a permission model there, an additional layer bolted onto an architecture that was never designed with adversarial intent in mind.

This is the dynamic that needs to change; not by abandoning mobile, but by fundamentally rethinking how organizations make decisions about it.

The compliance gap is widening

What has shifted in the past two years is the regulatory context. NIS2 was transposed into Dutch law in October 2024. Eighteen critical sectors are now in scope, and communication tools are explicitly part of the audit framework. Board-level personal liability is active; the first fines are expected between 2025 and 2026.

At the same time, WhatsApp remains the go-to communication platform in many government and critical infrastructure organizations. It is formally banned in several ministries, and practically unenforceable. Civil servants send sensitive decisions via consumer messaging apps. Field engineers in energy and water companies coordinate via WhatsApp groups. Contractors and external advisors communicate with core teams over platforms that process data under foreign jurisdiction. This is not primarily a culture problem; it’s an architecture problem. There is no viable approved alternative deployed at scale, so people use what works.

The NL State Secretary said it publicly

In March 2026, the Dutch State Secretary acknowledged explicitly that reliance on WhatsApp is a risk. The European Commission launched antitrust proceedings against Meta and WhatsApp in April 2026. France, Germany, and Belgium have deployed government-developed or government-contracted alternatives. The Dutch government is actively testing European options right now.

The geopolitical dimension has also sharpened. Salt Typhoon, the Chinese state-sponsored campaign that breached telecom lawful intercept systems in more than 80 countries (including the Netherlands), demonstrated that the underlying infrastructure carrying mobile communications is itself an attack surface. When the network is compromised, end-to-end encryption on the application layer is not sufficient.

Security awareness is not the same as security architecture

Organizations invest in training employees to recognize phishing, to avoid suspicious links, to use strong passwords; this is of course very necessary, but it’s not sufficient for mobile. A well-trained employee on a consumer-grade device with no mobile device management, no controlled application environment, and no hardened operating system is still an exposed endpoint. The question is not whether they know the risks; it’s whether the architecture they operate within reduces the impact when something goes wrong.

The organizations that treat mobile security as a policy and awareness problem, rather than an architecture and engineering problem, are making the same mistake that was made with network security twenty years ago. Reactive patching after compromise is not a strategy, neither is banning a tool without providing a credible alternative.

Back to basics means starting from the threat

The shift that is needed is straightforward in principle, even if it is operationally complex. Organizations need to start from an honest assessment of what their mobile devices actually carry, who has access to them, what networks they connect to, and what the realistic threat profile is for people in their role.

For most government bodies, critical infrastructure operators, defence-adjacent organizations, and large enterprises handling sensitive data, the answer to that assessment will be uncomfortable. The gap between the threat they face and the architecture they have deployed is significant, and it is widening. The question is not whether to act; it’s how to close that gap without making devices unusable for the people who depend on them.