What is Pegasus spyware, and how to detect and remove it

Pegasus is spyware developed by the Israeli company NSO Group and sold exclusively to government agencies. It infiltrates smartphones via messaging apps and system notifications by exploiting vulnerabilities that do not require user action — so-called zero-click attacks.

Investigations have revealed that Pegasus has been used to spy on journalists, activists, and political figures in over 50 countries. Understanding how Pegasus works — and how it’s been used — sheds light on why it has become one of the most controversial surveillance tools ever created.

How does Pegasus spyware work?

To infiltrate devices, extract data, and evade detection, Pegasus employs three key mechanisms:

Zero-click installation

Unlike most malware, Pegasus installs itself without any user interaction. It exploits security flaws in operating systems and messaging apps like WhatsApp and iMessage, infiltrating devices when users simply receive a message or notification. It often leverages zero-day vulnerabilities — previously unknown security flaws that haven’t yet been patched — making it nearly impossible to defend against in real time.

Surveillance capabilities 

Once installed, Pegasus operates at the system level with root access. It reads encrypted messages from apps, listens to calls, records audio through the microphone, captures photos through the camera, harvests passwords, and tracks location in real time. Pegasus infects both iPhones and Android devices, adapting its method to each operating system’s security structure — a capability that distinguishes it from most commercial spyware.

Self-destructive design

Pegasus erases logs, clears temporary files, and stops communicating with command servers when it detects forensic analysis or prolonged offline periods. This self-destructive design makes it invisible even to advanced security tools, allowing it to vanish before investigators can capture evidence.

Government use and misuse

Pegasus isn’t sold to individuals — it’s licensed to government agencies for use in counterterrorism and criminal investigations. However, investigations have shown it has also been deployed against journalists, activists, and political figures, raising global concerns about its misuse. This gap between NSO’s stated purpose and documented misuse is at the heart of the Pegasus controversy.

NSO Group and Pegasus controversy

Pegasus was developed by the NSO Group, an Israeli cybersecurity company founded in 2010 with the stated aim of assisting governments in combating terrorism and serious crime. The company presents itself as a lawful interception technology provider, selling tools that allow intelligence and law enforcement agencies to access data from criminal suspects when traditional methods are ineffective. NSO claims that its products save lives by helping to dismantle criminal networks, track kidnappers, and prevent terrorist attacks.

However, the spyware industry operates behind closed doors, where the lines between legitimate surveillance and political spying often blur. NSO makes a profit by selling software to government clients worldwide¹, but critics argue that the company’s vetting process is opaque and prioritizes lucrative contracts over human rights protections. Once Pegasus is sold, NSO has limited visibility into how or against whom it is used, and the organization is held to minimal account for its misuse.

In 2021, the Pegasus Project, an international investigation led by Forbidden Stories and Amnesty International with 17 media partners, including the Guardian, the Washington Post, and Le Monde, revealed that Pegasus was used to target journalists, activists, lawyers, and politicians in over 50 countries worldwide.²

Fallout and global response

The exposure of Pegasus triggered immediate international action. Multiple countries, including France, India, and Hungary, launched official investigations into the potential misuse of the spyware.³ ⁴ The European Parliament formed a special committee to examine Pegasus’s impact on democracy and civil rights within the EU.⁵ Several governments, including the United States, imposed trade or diplomatic restrictions on the NSO Group, and international organizations called for stricter oversight of the surveillance industry as a whole.⁶  

At the same time, the controversy deeply damaged NSO’s reputation and financial stability. Reports indicated that the company faced mounting debt, employee layoffs, and a loss of key contracts as investors distanced themselves from the firm.⁷ Pegasus became a symbol of not only intrusive surveillance but also the growing lack of accountability in the global spyware market, where the interests of governments, private firms, and politics are increasingly intertwined.

This does not mean that the world is now safe from spyware like Pegasus. Similar tools have since been discovered, including the North Macedonia-based Predator, which was found to target journalists and opposition figures in countries such as Greece and Egypt.⁸ While the Pegasus controversy exposed one company, it also drew attention to the growing industry of sophisticated digital surveillance tactics.

Ties to the Israeli government

The NSO Group operates under Israel’s export control system, which classifies Pegasus as military-grade technology, requiring Ministry of Defense approval for every sale. This arrangement isn’t unique — the United States, European Union, and 43 other nations impose similar controls on surveillance tools.

What distinguishes Israel’s approach is how these approvals have aligned with diplomatic goals. A 2022 New York Times investigation found that Israel treated NSO as a de facto arm of the state, approving Pegasus sales to Azerbaijan, Morocco, the UAE, and Saudi Arabia as part of its efforts to build an alliance against Iran.⁹ The NYT also reported that Israel blocked sales to Estonia and Ukraine to maintain positive relations with Russia.

The Israeli government denies using Pegasus for diplomatic leverage. However, the mandatory approval process means Israel determines which governments access the spyware, raising questions about accountability when the technology is later deployed against journalists, activists, and dissidents.

How Pegasus threatens privacy and human rights

Pegasus infiltrates devices silently and extracts intimate data — messages, calls, locations, photos — without user consent or awareness. This capability erases the boundary between private and public life, directly threatening privacy, freedom of expression, and human rights protections.

Violation of freedom of speech

Forensic investigations have linked Pegasus infections to journalists, human rights defenders, and political dissidents — not the criminals and terrorists NSO claimed to target. For instance, Pegasus infections were found on the phones of people close to the murdered Saudi journalist Jamal Khashoggi, as well as journalists from El País and The Washington Post.¹⁰ 

In Morocco, investigative reporter Omar Radi was reportedly targeted with Pegasus after publishing stories critical of his government.¹¹ The exposure of Pegasus revealed how easily state surveillance can be used to silence dissenting voices, intimidate journalists, and obstruct freedom of information and speech.

Erosion of civil liberties

The use of spyware extends beyond targeting individuals — it undermines entire democratic systems. In several countries, including Hungary and Spain, Pegasus was used to directly target opposition politicians and activists.¹² 

Monitoring citizens, journalists, and lawmakers at will discourages dissent and weakens trust in public institutions. This creates what experts call a climate of surveillance — a society in which the fear of being watched stifles independent thought, debate, and protest.

How to check if your phone has Pegasus spyware — and what to do about it

Pegasus leaves no visible signs — no pop-ups, battery drain, or performance issues. Rather than spotting behavioral changes, detection requires knowing where to look for digital fingerprints.

1. What not to do

Avoid online removal services or apps that promise instant detection. Spyware is not something you can easily deal with, and most of these services are scams designed to take advantage of the situation you’re in. 

Similarly, don’t give your phone to anyone who claims to be an independent Pegasus expert, unless they’re affiliated with a reputable organization (see point 4). Acting too quickly can result in data loss, destruction of forensic evidence, or alerting the attacker that you’re onto them.

2. Use the Mobile Verification Toolkit

The most reliable way to check for Pegasus is through MVT (Mobile Verification Toolkit) — an open-source forensic tool developed by Amnesty International’s Security Lab.¹³ MVT analyzes phone backup files for indicators of compromise: suspicious domains, altered system logs, or trace code fragments tied to Pegasus operations.

On iPhones, MVT examines iMessage logs and Apple Push Notification data, where Pegasus activity has often been found.

On Android devices, MVT scans system backups and network records. However, Pegasus is more elusive in this environment because it can wipe all traces of its activity. In some verified cases, forensic labs such as Citizen Lab have been able to find evidence only through in-depth, manual network analysis.¹⁴

Running MVT requires moderate technical skill and a computer running macOS or Linux. While it won’t remove Pegasus, it can confirm whether your device shows signs of compromise, which is the first and most important step.

3. Isolate the device immediately

If you suspect an infection, disconnect your phone from Wi-Fi, mobile data, and Bluetooth. Pegasus relies on these connections to communicate with its operators. Do not make calls or log into any accounts from the device — each action could reveal new information to the attacker.

4. Contact a trusted security organization

Pegasus operates at a system level, meaning removal isn’t something you can do on your own. Contact professional digital security groups such as Access Now’s Digital Security Helpline or Amnesty International’s Security Lab. These organizations can analyze your device safely, confirm an infection, and guide you through the next step — containment or evidence preservation.

5. Preserve evidence and retire the device

If traces of Pegasus are found, don’t wipe your phone immediately. Create a full encrypted backup and store it securely — this data may help experts verify the infection. In confirmed cases, victims often retire the device completely, since Pegasus infections can persist even after resets or system reinstalls.

How to protect yourself from Pegasus-like spyware

You may never encounter Pegasus directly, but its tactics have inspired numerous phishing schemes, commercial spyware, and data-harvesting tools that are currently being used against ordinary users. Protecting yourself requires developing habits that defend against both state-level surveillance and common online threats.

1. Keep your devices up to date

Pegasus relies on unpatched vulnerabilities to infiltrate phones. Install software and security updates as soon as they’re available — Apple, Google, and other developers close these gaps through emergency hotfixes.

2. Review your app permissions

Regularly check which apps can access your microphone, camera, contacts, and location. If an app doesn’t need a particular permission, revoke it. If you don’t recognize an app, remove it. Reducing unnecessary access minimizes your exposure to potential exploits.

3. Be careful with links and downloads

Although Pegasus can exploit devices without your input, most spyware still relies on phishing. Don’t open unexpected attachments, and avoid downloading apps from unofficial stores. Attackers tend to disguise malware as legitimate messages or updates.

4. Strengthen your online protection

Layer your defenses. A VPN encrypts your connection, antivirus software scans for malware, and data leak monitoring services alert you if your private information shows up online. Security solutions like Surfshark One combine these protections into a single platform. While no solution guarantees immunity from advanced spyware, layered security significantly reduces vulnerability to common threats.

5. Protect your communications

Use end-to-end encrypted apps like Signal or Wire for sensitive discussions, and enable disappearing messages when appropriate. Avoid linking personal and professional accounts across devices, which can make it easier for attackers to map your online identity.

Conclusion: can you protect yourself from state-level spyware?

Pegasus revealed that any device can be compromised when targeted by state resources. Similar vulnerabilities enable everyday tracking, phishing, and data exploitation. To enhance your protection, install updates immediately, review unexpected links, and use layered security tools, including VPN encryption, antivirus scanning, and data leak monitoring.

Resources used

¹https://www.nsogroup.com/;
²https://forbiddenstories.org/pegasus-project/;
³https://www.reuters.com/world/europe/france-investigates-pegasus-spyware-claims-2021-07-20/;
⁴https://www.bbc.com/news/world-asia-india-57898194;
⁵https://www.europarl.europa.eu/news/en/headlines/society/20220401STO26373/pegasus-spyware-meps-condemn-use-of-spyware-against-citizens;
⁶https://www.ohchr.org/en/statements/2021/07/un-experts-call-moratorium-sale-and-transfer-surveillance-technology;
⁷https://www.ft.com/content/9f74c640-46d7-4b71-982b-49ff0f7dcdd7;
⁸https://citizenlab.ca/2023/05/predator-spyware-targets-egypt-greece/;
⁹https://www.nytimes.com/2022/01/28/world/middleeast/israel-pegasus-nso.html;
¹⁰https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/;
¹¹https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/;
¹²https://www.theguardian.com/world/2022/apr/18/catalan-independence-politicians-targeted-pegasus-spyware-report;
¹³https://github.com/mvt-project/mvt;
¹⁴https://citizenlab.ca/2021/07/amnesty-peer-review/;

You can’t control spyware — but you can control your connection

Secure your data with Surfshark VPN to make your surfing more private

Get Surfshark