Last summer, Bill Marczak stumbled across a program that could spy on your iPhone’s contact list and messages - and even record your calls. Illuminating shadowy firms that sell spyware to corrupt governments across the globe, Marczak’s story reveals the new arena of cyber-warfare.

A trim UC Berkley Ph.D. candidate with dense brown hair and a disciplined beard, Marczak wasn’t just another excitable, fast-talking Berkeley grad student. He was a pioneering analyst in a new and unusual theater of cyber-warfare: the struggle between Middle Eastern freedom activists and authoritarian governments in countries such as Bahrain and Egypt. He was also a senior fellow at Citizens Lab, the University of Toronto “interdisciplinary laboratory” that had almost single-handedly discovered and alerted the world to how these governments were monitoring dissidents with spyware quietly marketed by a group of shadowy European and Israeli companies that have been labeled the first “cyber-arms dealers.”

Before going to sleep, Marczak, always a tad obsessive, rolled out of bed to check his phone for messages. He was standing there in his boxer shorts when he saw it. “Oh my God,” he exclaimed, hopping up and down with excitement, his bright eyes shining even brighter than usual.

Across the bed, his girlfriend wondered, “What is it?”

“I think I just found something huge,” he answered, before kissing her and going into the living room, where he opened his laptop.

When his girlfriend woke the next morning, he was still there.

Marczak had indeed found “something huge.” An activist friend in the United Arab Emirates had sent him an e-mail containing a single Internet link, which Marczak was almost certain would, if clicked, release malignant spyware into his mobile phone. He managed to isolate a portion of its code, but it was so complex he decided to forward a copy across San Francisco Bay to engineers at a computer-security outfit called Lookout, whose offices high in a downtown skyscraper afforded panoramic views from the Golden Gate Bridge to Oakland.

A pair of Lookout engineers, Andrew Blaich, a sandy-haired mobile-security specialist, and Max Bazaliy, an intense grad student from the Ukraine, were the first at the company to study the heavily obfuscated code.

“What do you think it is?” Blaich asked.

“I don’t know. Something really, really bad,” Bazaliy answered in his thick Ukrainian accent.

It took all day for the 2 to realize just how bad.

It is exceedingly rare to find a never-before-seen vulnerability that allows a hacker to infiltrate the operating system of a computer or mobile phone. Amazingly, the program Marczak had found would be shown to target not one, not two, but three such vulnerabilities.

“Every new line of code, it was like, ‘Oh shit, this can’t be,’ ” Blaich recalls. “ ‘Oh shit. Oh shit.’ It just went on and on.”

By nightfall, the two engineers were staring in disbelief. “This can spy on audio, e-mail, text messages . . . everything. Someone spent a lot of time creating this,” Blaich said.

Bazaliy, a purist, thought it the most beautiful code he had ever seen. “There’s never been anything like this before,” he said.

[Click link to continue reading.]