[gruez]

Not really.

1. There's no reason why a threat actor would have to send you 3-4 messages per day. Of the exploits I've seen, they only need to send one. Sending 3-4 messages per day just unnecessarily increases the risk of getting caught (ie. the target getting suspicious and asking on hacker news whether they're getting hacked)

2. There's no reason why the message has to contain sketchy links. They could very well disguise messages as ads/notifications for well known businesses, political organizations, or from random people who got the wrong phone number.

3. There's no reason why the attacker can't erase any trace of the initial message after your device is infected, so unless you're staring at your phone 24/7 it's very easy to miss the message.

[dannyw]

Disagree with all 3 points.

If I am sneaking a payload in, and I have different exploits for different OS versions, I would exactly disguise it as spam.

Pretending to be a busines, or a random person with wrong number, and then DELETING IT is a noteable indicator of compromise.

I know this isn't how Pegasus works, but I'm sure there are more exploit kits being sold in the world. Some may not be as sophisticated, and may rely on spraying and praying with different exploits.

[gruez]

>If I am sneaking a payload in, and I have different exploits for different OS versions, I would exactly disguise it as spam.

Right, but the point is that GP seems to have been tipped off by the "sketchy links", rather than the spam itself, and that there are far better ways to compose your spam texts than ones with sketchy links.

>Pretending to be a busines, or a random person with wrong number, and then DELETING IT is a noteable indicator of compromise.

It depends on the nature of the exploit. I was operating under the assumption that "0 click" means the exploit gets run as soon as the phone receives it, which would allow for the exploit to clean up after itself without alerting the owner, unless the owner was staring at the phone the exact moment the message came in.