Pegasus Project: What we know about the spyware used to hack iPhones and Android phones

iPhone 12 Pro Max displaying battery percentage
(Image credit: Laptop Mag)

Lawyers, journalists and human rights activists are being spied on by various governments using Pegasus, according to an ongoing investigation being conducted by 17 news outlets. Pegasus is hacking spyware developed by the Israeli surveillance company NSO Group.

NSO insists the software is intended to target criminals and terrorists, but a data leak of 50,000 targets, initially accessed by Amnesty International and Paris-based nonprofit Forbidden Stories, shows otherwise. 

The leak reveals government officials and their close family members, journalists, human rights activists, political competition, and the wife of murdered Washington Post journalist Jamal Kashoggi, were among the 1,000 on the list who did not fit the criteria.

This is an ever-evolving story with articles, videos and podcasts being released by 17 media organizations that worked together to uncover how the spyware is being used around the globe.

What is Pegasus?

Pegasus is spyware designed by the Israeli company NSO Group and used by governments across the world. It has the ability to infect billions of iOS and Android phones to monitor everything happening on those devices. 

Once installed on a phone using vulnerabilities in common apps, Pegasus can take user data and transmit it back to the attacker. The data being collected could include messages, photos and emails, call recordings, and activating your microphone and cameras.

Previous versions of Pegasus date back to 2016, but newer iterations are more sophisticated in how much data they can harvest and how they can be implanted onto your phone without detection.

NSO Group's website

(Image credit: NSO Group)

How does it work?

In the earlier builds of Pegasus, phone infections took place using a tactic called spear phishing, which involves getting people to click on a malicious link. Since then, however, the software has become much more sophisticated to the point where it can be installed on a phone without a user clicking any links. 

This is what is called a zero-click attack, where the NSO Group exploits zero-day vulnerabilities (bugs in the operating system that Apple or Google don't know about), to install its software on your phone without any interaction needed from the user.

This attack method was used in 2019 when Pegasus hacked 1,400 WhatsApp users’ phones using a zero-day vulnerability in the app. 

Once it's on a phone, the software obtains admin privileges, settles in at the core of a phone’s OS, and begins to monitor the user through apps, screen recording, and even the camera and microphone.

Spyware

(Image credit: Anthony Shkraba from Pexels)

Are you at risk?

On a technical level, yes. NSO’s Pegasus is an ever-evolving technique that relies on zero-day vulnerabilities to find a backdoor into any phone through whatever means necessary. Even iOS struggles because the techniques used stay one step ahead of Apple.

Of the 50,000 or so people on the list of targets leaked to the press, 1,000 didn’t meet the criteria. Broken down further, 65 were business executives, 189 were journalists, 85 were human rights activists and more than 600 were politicians.

But does that mean you are at an imminent risk? The average citizen is not part of a sophisticated espionage campaign like this. However, given the sheer scalability of Pegasus and the possibility for it to infect billions of phones, some may fear this to be another form of governmental control. 

Jason England
Content Editor

Jason brought a decade of tech and gaming journalism experience to his role as a writer at Laptop Mag, and he is now the Managing Editor of Computing at Tom's Guide. He takes a particular interest in writing articles and creating videos about laptops, headphones and games. He has previously written for Kotaku, Stuff and BBC Science Focus. In his spare time, you'll find Jason looking for good dogs to pet or thinking about eating pizza if he isn't already.