This is no surprise. Intelligence agencies are not magic, they rarely have the computational capabilities to break encryption. Communications are subverted by capturing the text either before it is encrypted, or in the clear on the device after it is received.

There are many vendors of software around the world that sell to Governments to enable complete compromise of devices. Pegasus by NSO is just the most famous. NSO has been sanctioned, so it is unlikely this was used in this case. There are however many more to pick from, unfortunately. RT is suggesting that an intelligence agency "RAT'd" (Remote Access Trojan) Tuckers phone.

Malware that can compromise a device is, again, not magic, but relies on unpatched vulnerabilities in software. The worst being the '0-click', where a malicious message sent from the attacker is able to exploit some bug in the operating system and hand control to the attacker. The large amount of possible file types and messages that a device can understand makes this easier to find places with buggy code. The device vendors put considerable efforts into fixing these vulnerabilities.

Next time someone finds a 'killer' bug in android or ios, and someone suggests selling that exploit for a payday (shady brokers might pay 20 BTC or more), know that its final usage will be attacking peoples devices around the world.