Comment by londons_explore

It's possible someone wants to hack you more than you want to defend against it.

Or it's possible you are using your development processes more like a honeypot to trap the attackers. I suspect that was the case here - it's awfully hard to analyze a modern exploit unless you manage to get it to install on a phone you are already monitoring.

(all new exploits are 'single install' - ie. the exploit will retrieve most of its code from a server which will only send the data once, and then immediately after use the exploit code will be deleted. That makes recording the exploit hard).