Yes you could. You could even use a fake phone which is wired to log everything. A lot of malware attempts to avoid VMs and stimulated environments but the actual 0 day would be before that point.

If a state sponsored party really wants to find these zero days I'm sure they can. I would imagine that this is more like what happened with EternalBlue: it's something they know but don't report because it's useful to them too.