Paragon and Graphite: Messaging Apps Killchains

Graphite spyware, produced by Paragon, has recently garnered significant attention in Europe—particularly in Italy (Lakshmanan, 2025). The debate spans both legal and technical aspects. In Italy, for example, such tools are strictly regulated: they may only be employed in specific cases by designated entities, subject to rigorous authorization processes, and with certain target categories being off-limits. Since I am not a lawyer, I will focus on the technical side by using publicly available information to make assumptions and model a kill chain that outlines an actor's steps to compromise a target (Pirc et al., 2016).

Considerations

According to Lakshmanan (2025), the target was added to a WhatsApp group and received a PDF file. Without opening the file, remote code execution (RCE) occurs. Because the target is exploited without taking any action, the attack is classified as a zero?click exploit (Kaspersky, 2022).

This tactic, technique, and procedure (TTP) is not new. A similar TTP can occur when an MP4 file is received via WhatsApp (WhatsApp, 2019), and comparable vulnerabilities have been observed in PDF or Passkit files on another messaging app (Marczak et al., 2021; CitizenLab, 2023).

At this stage, the attacker can execute code within the WhatsApp process, leading to various outcomes. For example, the attacker might gain control of the device—a process that could require additional steps, such as a sandbox escape or local privilege escalation, to further compromise the system. This complex chain of events is described in Operation Triangulation (Larin, 2023). Ultimately, the actor's actions depend on their final objective, such as data exfiltration (MITRE, 2020a).

According to Brewster (2021), who cites multiple sources, Graphite's operating model is described as follows: it aims to "get access to the instant messaging applications on a device, rather than taking complete control of everything on a phone"; it "exploits the protocols of end-to-end encrypted apps, meaning it would hack into messages via vulnerabilities in the core ways in which the software operates"; and it can "remotely break into encrypted instant messaging communications." Additionally, one spyware industry executive noted that Graphite also promises "promises to get longer-lasting access to a device, even when it’s rebooted". In summary, Graphite exploits messaging apps, does not attempt to access the rest of the device, and focuses on maintaining access after rebooting.

Gaining access after rebooting can be done in several ways. For example, one approach involves persistence, which requires higher privileges on the device; alternatively, an attacker might re-exploit the device using the same attack (MITRE, 2020b). Another interesting technique, described by Marczak et al. (2023), relates to "Hijacking the phone's Anisette framework and hooking the gettimeofday syscall to generate iCloud time-based one-time password (TOTP) login codes for arbitrary dates. We suspect that this is used to generate two-factor authentication codes valid for future dates, in order to facilitate persistent exfiltration of the user's data directly from iCloud".?

This last concept is particularly interesting because if you have access to Data in the Cloud in the future, you can continue to exfiltrate data without persistence on the device but a "Logic Persistence".

This tactic can be particularly useful in extracting keys from messaging systems. Barda et al. (2019) described a key extraction technique for WhatsApp performed during the linking process. However, retrieving the keys is not easy and represents only the first step; accomplishing the subsequent tasks is similarly challenging and requires extensive technical knowledge. Nevertheless, as evidenced by past cases, several methods exist for obtaining chat data (Marczak et al., 2021; CitizenLab, 2023; Larin, 2023).

Conclusions

In conclusion, several outcomes are possible in a zero?click attack where the attacker gains permission to process a messaging app. The attacker may access and exfiltrate chat data, extract keys to maintain logical persistence, then exfiltrate new chat data from the Cloud or backups, or exploit higher?privilege processes to install persistence or otherwise compromise the device. The specific approach depends on the attacker's objectives and the situation.

When analyzing the kill chain, one effective defensive measure is to activate Lockdown Mode (Apple, n.d.). This mode blocks certain messaging attachments, turns off advanced browser features that automatically initiate FaceTime calls, restricts some Apple services, limits the information shared in photos, requires that a device be unlocked before connecting to another, prevents connections to unsecured Wi?Fi networks, and blocks the use of configuration profiles. Similarly, Android offers a comparable mode (Vakulov, 2024).

References

Apple. (n.d.). About Lockdown Mode. Apple Support. https://support.apple.com/en-us/105120

Barda, D., Zaikin, R., & Vanunu, O. (2019, August 8). Black Hat 2019 – WhatsApp Protocol Decryption for Chat Manipulation and More - Check Point Research. Check Point Research. https://research.checkpoint.com/2019/black-hat-2019-whatsapp-protocol-decryption-for-chat-manipulation-and-more/

Brewster, T. (2021). Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance Startup That “Hacks WhatsApp And Signal.” Forbes. https://www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal/

CitizenLab. (2023, September 7). BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild. https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

Facebook. (2019). Facebook. Facebook.com. https://www.facebook.com/security/advisories/cve-2019-11931

Kaspersky. (2022, March 30). What is zero-click malware, and how do zero-click attacks work? Www.kaspersky.com. https://www.kaspersky.com/resource-center/definitions/what-is-zero-click-malware

Lakshmanan, R. (2025, February). Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting 90 Journalists, Activists. The Hacker News. https://thehackernews.com/2025/02/meta-confirms-zero-click-whatsapp.html

Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Securelist.com. https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

Marczak, B., Scott-Railton, J., Abdul Razzak, B., Al-Jizawi, N., Anstis, S., Berdan, K., & Deibert, R. (2021, September 13). FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild. The Citizen Lab. https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/

Marczak, B., Scott-Railton, J., Perry, A., Al-Jizawi, N., Anstis, S., Panday, Z., Lyon, E., Razzak, B. A., & Deibert, R. (2023, April 11). Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers. https://citizenlab.ca/2023/04/spyware-vendor-quadream-exploits-victims-customers/

MITRE. (2020a). Exfiltration, Tactic TA0036 - Mobile | MITRE ATT&CK?. Mitre.org. https://attack.mitre.org/tactics/TA0036/

MITRE. (2020b). Persistence, Tactic TA0028 - Mobile | MITRE ATT&CK?. Mitre.org. https://attack.mitre.org/versions/v16/tactics/TA0028/

Pirc, J., DeSanto, D., Davison, I., & Gragido, W. (2016). Kill Chain Modeling. Threat Forecasting, 115–127. https://doi.org/10.1016/b978-0-12-800006-9.00008-2

Vakulov, A. (2024, November 15). How To Use Lockdown Mode To Secure Your Android Smartphone. Forbes. https://www.forbes.com/sites/alexvakulov/2024/11/15/how-to-use-lockdown-mode-to-secure-your-android-smartphone/

WhatsApp. (2019). WhatsApp Security Advisories. Whatsapp.com. https://www.whatsapp.com/security/advisories/archive?lang=en_US