The Evolution of iPhone Spyware: 18 Years of Cat-and-Mouse Games

Published: June 30, 2025

Apple has long positioned the iPhone as one of the most secure consumer devices on the market. And for good reason—iOS includes strong privacy protections, encryption, and a locked-down app ecosystem. But no device is completely immune to spyware.

Over the years, attackers have continued to find ways to bypass Apple’s defenses. From early jailbreak-based apps to modern spyware capable of silently infecting up-to-date iPhones, spyware threats have evolved in step with Apple’s security.

In this post, we’ll explore the major milestones in the evolution of iPhone spyware—from its origins in 2007 to the sophisticated tools used today. Whether it’s commercially available stalkerware or government-grade surveillance, spyware has proven to be a persistent and adaptable threat.

Protect against modern spyware

Spyware keeps advancing—protect your iPhone today. Run Certo AntiSpy to detect and remove hidden threats in just a few minutes.

Early Days: Jailbreak Spyware (2007 Onward)

The backbone of Apple’s security model from the outset is that it doesn’t allow apps from outside the App Store. To get around this, attackers turned to a process called jailbreaking.

Jailbreaking removes Apple’s software restrictions, allowing installation of unauthorized apps—including spyware.

In the late 2000s, tools like FlexiSPY and MobileSpy appeared, offering powerful surveillance features. These apps could record calls, track GPS, read texts (even deleted ones), and secretly activate the microphone or camera.

But they required physical access. The attacker needed to jailbreak the device and manually install the spyware—something that could usually only be done by someone close to the victim.

Over time, Apple made jailbreaking increasingly difficult. With each iOS update, new security protections made it harder for the jailbreak community to keep up.

But jailbreak-based spyware didn’t disappear, it remained in use even as other spying methods emerged. In fact, some spyware makers even returned to it later, when newer Apple security updates made alternative spying methods (e.g. iCloud hacking) more difficult.

Even today, jailbreak spyware still exists. It’s harder to install, and fewer users have vulnerable devices, but it continues to be marketed online, particularly in cases where the attacker has close access to the victim.

Cloud Surveillance: The iCloud Backup Method

Around 2014, as jailbreaking started to become less reliable, spyware vendors looked for alternatives. They found a new opportunity in iCloud.

By default, many iPhones automatically backup to iCloud. These backups include messages, call logs, photos, app data, and more.

Spyware companies realized that if an attacker had access to the victim’s Apple ID and password, they could remotely download these backups—without touching the iPhone at all.

This method became known as “non-jailbreak” spyware and was marketed as easier and safer than physical installation.

With access to iCloud backups, attackers could view:

SMS and iMessage conversions
WhatsApp and other messaging apps
Photos and videos
Calendar entries
Location history
App data from every installed app
Contacts and call history
Safari history

This kind of spyware was particularly dangerous because it didn’t require anything to be installed on the phone itself. And it could be set up from anywhere, as long as the attacker had the login credentials.

But Apple eventually caught on.

Apple’s Response: Locking Down iCloud

In response to growing abuse, Apple began enforcing two-factor authentication (2FA) on iCloud accounts. By 2022, over 95% of iCloud users had 2FA enabled.

With 2FA in place, even if someone had your password, they couldn’t log into your account without access to a one-time code sent to your trusted device.

Apple also introduced alerts for new logins, improved detection of suspicious activity, and an option to encrypt iCloud backups end-to-end with Advanced Data Protection.

Then in 2020, Apple changed how third-party apps could interact with iCloud. Most notably, it blocked access to full iCloud backups for outside services.

Today, spyware tools that once relied on this method can only access “synced” iCloud data—like contacts, iMessages, and photos—rather than the full backup.

This didn’t stop spyware companies entirely, but it greatly limited what they could access using the iCloud method. As a result, many began shifting focus again—this time, to a little-known feature in iTunes.

Exploiting iTunes: The Wi-Fi Sync Method

As jailbreaking became harder and iCloud access tightened, spyware makers turned their attention to a new avenue: iTunes Wi-Fi sync.

iTunes allows iPhones to back up wirelessly to a computer on the same network. While convenient, this feature created a privacy risk when abused.

With brief access to a target’s phone, an attacker could set up automatic Wi-Fi syncing to their own computer. This meant the iPhone would periodically back up to the attacker’s computer—no cables, no prompts, and no alerts.

Once backups were available, spyware tools running on the computer could extract and upload the data to a web dashboard for the attacker to view.

This method was particularly popular in domestic abuse situations, where the attacker had easy access to the victim’s devices and home network.

It also became a preferred method among some commercial spyware services. Unlike jailbreaking, it worked on the latest iPhones. And unlike the iCloud method, it didn’t require login credentials.

But again, Apple eventually stepped in.

Apple Responds: Passcode Required for Backups

In 2022, Apple released iOS 16.1, which included a subtle but powerful change.

Now, any time a backup is initiated—whether over USB or Wi-Fi—the user must enter their device passcode.

This meant spyware relying on Wi-Fi sync could no longer silently pull data. The iPhone would prompt the user every time, making the attack obvious and easily disrupted.

As a result, this method became much harder to use without the victim noticing. Many spyware tools that relied on Wi-Fi sync were rendered ineffective unless the attacker also knew the device’s passcode and could repeatedly access the phone.

It was a quiet but important win for user privacy.

Nation-State Spyware: Enter Pegasus

While commercial spyware tools were exploiting backups and sync methods, a more advanced class of spyware was emerging.

The most notorious example is Pegasus, developed by Israeli company NSO Group. Pegasus is known to be used by oppressive governments around the world to target journalists, dissidents, and political opponents.

Pegasus doesn’t require physical access or credentials. In many cases, it can infect a device with a zero-click exploit—meaning the victim doesn’t even need to tap a link.

For example, Pegasus has been delivered via:

Once installed, Pegasus can access messages, emails, calls, microphones, cameras, and more—all silently and without the user’s knowledge.

The first known case was in 2016, when spyware was discovered on the phone of UAE activist Ahmed Mansoor. Since then, countless other cases have come to light.

Apple has repeatedly patched the vulnerabilities used by Pegasus, but the game of cat-and-mouse continues.

Lockdown Mode: Apple’s Strongest Defense Yet

In 2022, Apple released Lockdown Mode, a feature designed to protect users at high risk of advanced spyware attacks.

When enabled, Lockdown Mode significantly reduces the iPhone’s attack surface by:

Blocking most message attachments
Disabling link previews
Preventing configuration profile installation
Restricting web technologies

It’s an extreme setting, and most users will never need it. But for journalists, activists, and others who may be targeted by spyware, it can be a vital safeguard.

In 2023, researchers confirmed that Lockdown Mode had successfully blocked a real-world Pegasus infection attempt—proving its effectiveness in high-risk situations.

Spyware Industry Tactics: Evolving to Evade Detection

Spyware makers have always adapted quickly to Apple’s security changes.

As Apple closed one loophole, attackers found another. When jailbreaking became harder, they moved to iCloud. When iCloud became secure, they exploited Wi-Fi sync.

More recently, some tools have taken a different approach entirely—utilizing third-party keyboards installed on the victim’s device. These apps can, in some cases, be misused to capture everything a user types, including messages, passwords, and search terms, without raising suspicion.

In parallel, spyware companies have refined how they market their tools.

Rather than openly promoting spyware, many now claim their products are for “parental monitoring” or “employee supervision.” But customer reviews and real-world usage often tell a different story.

Many stalkerware apps have been found installed on the phones of spouses or ex-partners—often without consent.

Governments have started to take notice too. In recent years, the FTC and other agencies have taken legal action against some spyware vendors, and Apple itself has filed a lawsuit against NSO Group.

Still, the spyware market remains active. Some companies rebrand under new names, shift jurisdictions, or tweak their software to stay one step ahead.

Wrapping Up

Apple has made tremendous strides in improving iPhone security. From hardware encryption and sandboxing to iCloud protections and Lockdown Mode, today’s iPhones are much harder to spy on than they were in 2007.

But spyware hasn’t gone away.

While some methods—like iCloud backup spying or Wi-Fi sync attacks—have become harder or obsolete, others persist. Jailbreak spyware still exists for older or unlocked devices. Sophisticated spyware like Pegasus continues to evolve. And spyware companies still find new ways to push their products to customers with unethical or illegal intent.

No security system is foolproof. Attackers don’t just exploit technical flaws—they also take advantage of social engineering, poor passwords, shared Apple IDs, or overlooked settings.

For iPhone users, awareness is key. Keeping your device updated, using strong passwords and 2FA, and understanding how spyware works can go a long way in staying protected.

Because while the tools may change, the threat of surveillance is always evolving.