“`html

100 Countries Now Have Spyware That Can Hack Your Phone

Nearly 100 governments are running spyware operations against ordinary phones right now. Not tomorrow. Now. And most UK businesses haven’t updated their threat models in years. That’s not a gap in awareness. That’s a financial liability waiting to detonate.

What’s Actually Happening

The UK’s cybersecurity chief has sounded the alarm. British businesses and critical infrastructure are badly underestimating the threat from commercial spyware. And the numbers back that up hard.

According to the US National Counterintelligence and Security Center Director Michael Casey, speaking in January 2025, nearly 100 countries have acquired and are actively using cellphone spyware. That’s up from more than 80 capitals reported by the UK’s own National Cyber Security Centre back in April 2023. In less than two years, the buyer pool grew by roughly 25%.

This isn’t a niche problem for dissidents and journalists anymore. According to the UK NCSC, spyware tools are being used at scale, targeting thousands of individuals every year. That list includes business executives, government officials, and legal professionals. The commercial sector is now the primary target group, according to NCSC analysts, because low-skill nations can simply buy the capability they need off the shelf.

That’s the part most people miss. You don’t need a sophisticated state intelligence agency to spy on you anymore. You just need a credit line and a vendor willing to sell.

The Uncomfortable Truth About the Spyware Market

I’ll say something most tech publications won’t say plainly. This market exists because it’s wildly profitable. According to the US NCSC, the spyware industry is a “huge growth business” with dozens of companies competing for government contracts worldwide. NSO Group, the Israeli firm behind the Pegasus tool, was blacklisted by the US government in 2021 for supplying spyware used against journalists, activists, and government officials. But blacklisting one company didn’t kill the market. It just created room for dozens of new vendors to fill the gap.

This is basic economics. When you make something illegal in one jurisdiction and leave the global market open, you get fragmentation, not reduction. Rich states with big defense budgets buy from the established players. Smaller states with ambition and limited technical skills buy from the cheaper vendors who’ve now flooded the market. According to the UK NCSC’s 2023 assessment, commercial spyware enables dozens of states that lack the internal skills to otherwise access these capabilities.

Now think about what that means for a mid-sized UK financial services firm. Your CFO takes a meeting in Dubai. Your legal counsel travels to Singapore. Your M&A team flies to Frankfurt. Every one of those people is carrying a phone loaded with deal information, client contacts, and sensitive communications. Any one of those governments, or governments that have purchased access to tools operating in those regions, could be watching.

Meanwhile, back home, the UK government issued a secret order to Apple in February 2025 demanding access to end-to-end encrypted iCloud data globally, including backups, contacts, location data, and messages. This was made under the Investigatory Powers Act of 2016, which allows the UK government to order companies to remove encryption. Human Rights Watch and Amnesty International both criticized the order as a serious global privacy threat. Apple pulled its Advanced Data Protection feature from the UK entirely rather than comply.

Here’s my take. When your own government is trying to crack the encryption protecting your business data, and 99 other governments are running spyware operations, treating cybersecurity as an IT budget line item is a losing strategy. It’s the equivalent of leaving your safe ed because the neighborhood “seems fine.”

For individuals and small business owners who want a starting point, running solid endpoint protection matters more than most people think. I’ve recommended TotalAV antivirus protection to people who want something that actually catches threats at the device level without needing a dedicated IT team to configure it.

What This Means For You

Let me be direct about what I would do right now if I ran a UK business with any international exposure.

First, I would audit every device my executive team carries overseas. Spyware like Pegasus doesn’t need you to click a link. It uses zero-click exploits, meaning it installs itself with no action from the target. Your phone doesn’t have to do anything wrong. It just has to be on and connected.

Second, I would treat encrypted messaging apps as the floor, not the ceiling of my security posture. The UK government’s order to Apple proves that even platforms you trust can be forced to hand over data. Build protocols that assume the infrastructure is compromised.

Third, I would stop underestimating state actors. According to NCSC reporting, UK businesses consistently model threats based on criminal hackers. State actors operate with bigger budgets, longer time horizons, and no legal constraints in their home jurisdictions. The threat model is completely different.

Fourth, device-level protection still matters for day-to-day operations. For employees who aren’t traveling to high-risk regions but still face commercial spyware risks at home, a comprehensive solution like Norton security suite covers multiple devices and adds network monitoring that basic free tools skip entirely.

Fifth, get briefed. GCHQ’s Tempora program buffers internet content for three days and metadata for 30 days through bulk collection on fiber-optic cables, according to documented reporting on the program. That’s your country’s own intelligence service. Understanding the full surveillance environment, domestic and foreign, is not paranoia. It’s due diligence.

The businesses that get hurt are the ones that assume they’re not interesting enough to target. Every company with IP, deal flow, or client data is interesting to someone.

The Bottom Line

The spyware market doubled its government buyer base in under two years. Your phone is the target. Your business data is the prize. Governments are buying access to hacking tools the same way they buy office supplies, off the shelf, in bulk, from competing vendors. The UK is warning its own businesses to wake up. I’d take that warning seriously before the next board meeting turns into a breach disclosure.

Frequently Asked Questions

What is commercial spyware and how does it work?

Commercial spyware is software sold by private companies to governments that allows them to remotely access and monitor smartphones. Tools like Pegasus can install themselves without the target clicking anything, giving attackers access to messages, calls, location data, and camera feeds. According to the UK NCSC, these tools are being used to target thousands of individuals every year.

Which countries have spyware capabilities?

According to US NCSC Director Michael Casey in January 2025, nearly 100 countries have acquired and are actively using cellphone spyware. That number grew from more than 80 governments identified by the UK NCSC in April 2023. The list includes both large state actors and smaller governments buying commercial tools from private vendors.

Is the UK government itself a surveillance threat to businesses?

The UK’s Investigatory Powers Act of 2016 gives the government power to issue secret orders demanding companies remove encryption or hand over data. In February 2025, the UK Home Office issued such an order to Apple, demanding access to globally encrypted iCloud data. Businesses operating under UK jurisdiction should factor domestic legal surveillance powers into their data security planning.

How can businesses protect themselves from spyware attacks?

Businesses should audit devices carried by traveling executives, enforce encrypted communication protocols, and treat endpoint security as a baseline requirement rather than optional. State-level spyware uses zero-click exploits that require no action from the target, so network and device-level monitoring is more important than employee awareness training alone. Regular threat assessments aligned with current intelligence, not just criminal hacker models, are necessary.

Why is the spyware market growing so fast?

The market is growing because it’s extremely profitable and largely unregulated across most of the world. According to the US NCSC, dozens of companies now compete in the space, giving governments with limited technical skills the ability to buy sophisticated surveillance capabilities off the shelf. Blacklisting single vendors like NSO Group creates openings for new competitors rather than shrinking the overall market.

“`