How to Dodge Pegasus Spyware, copyright 2025 by Steve Burgess
Pegasus was a superfast magical horse from Greek mythology that could fly over barriers, see everything from above, avoid detection, and had a really cute family in Disney’s Fantasia.
The other Pegasus is a kind of Trojan horse software that infects cell phones, gets installed around barriers, is good at spying on users, and is good at avoiding detection. Feels kind of like dark magic. And is decidedly not cute.
While you might be worried that your phone is listening to you, Pegasus spyware doesn’t just listen – it rifles through your texts, photos, locations, and cat memes like Bewitched’s Mrs. Kravitz might do. Frankly, they can haz my cheezburger.
But Pegasus, built by Israel’s NSO Group, is a military-grade surveillance tool that can sneak into phones without a click, a tap, or even a suspicious “You’ve won a free cruise!” link. Creepy, right?
Before you wrap your phone in aluminum foil and bury it in the backyard, take a breath. Pegasus is very expensive software – users, which are typically governments, pay tens of millions of dollars for its use. So, it’s typically aimed at high-profile targets like journalists, politicians, and activists. Not that, to some governments – and people – tens of millions are pocket change. But still, it’s known to be saved for those special folks who are unfortunate enough for an entity to want to spend that to spy on them.
Pegasus isn’t the only big-time phone cracker, though. Another Israeli firm, Paragon, sells its Graphite iOS Mercenary Spyware. It was first confirmed in April of 2025, on the phones of several journalists.
Like Pegasus, it’s very powerful spyware that doesn’t require a click, also known as “zero-click” malware. Almost all other malware requires the user to click on something to enable the infection. Pegasus and Graphite don’t need this.
While quite expensive, ICE (U.S. Immigration and Customs Enforcement) signed a contract with Paragon for two million dollars to use their spyware. It was restricted but the current US administration has lifted the restrictions on its use, so it may become a bit more widely utilized.
Paragon says that it will only do business with democracies and that it won’t tolerance government clients who use the spyware to target members of civil society, such as journalists. But Paragon doesn’t reveal who those clients are (although we know about ICE) and we don’t’ know how well they will police the use of its technology.
Make up your own mind about the transparency of ICE. Still, though the software’s pretty expensive, and theoretically only allowed to democracies, so it’s unlikely to be used by individuals against anyone.
I should make a mention of QuaDream, founded by two former employees of NSO and also a generator of powerful zero-click malware. However, it’s widely believed to have shut down in 2023.
What’s a poor boy to do? Or a poor gal? Or a rich one?
First, note that you’re very unlikely to be targeted by Pegasus. And to a large extend by Graphite as well. With the exceptions noted above (journalists, political targets), you’re probably safe from this nasty stuff.
Still and all, all of us should treat smartphone security seriously. Here’s how to put a virtual flak jacket on your stuff.
UPDATE!
Software updates can be annoying. They always pop up when you’re about to post a photo of the grub on your plate that we all are dying to see. But updates are your first line of defense. Pegasus – and presumably Graphite – thrives on unpatched vulnerabilities—holes in your operating system or apps. Apple & Google (Android) regularly plug those leaks, so installing updates promptly is like closing the barn door before the spyware sneaks in and makes itself at home.
Don’t Click That Shady Link
Frankly, don’t click it even if it looks like it’s not shady. Malware proliferates through malicious links sent in texts, emails, and messaging apps. If you didn’t expect that “urgent delivery notice,” assume it’s malware bait. Think of links the way you think of gas-station sushi: if you’re not sure where it came from, maybe don’t. In fact, maybe\e don’t click on any links in emails.
Reboot
Remember when rebooting fixed everything? (I’m not talking about actually kicking the thing, no matter how you’re feeling about it at the moment.) Turns out, rebooting your phone daily is still magic. Some Pegasus infections live in memory, so restarting can kick them out—at least temporarily. It won’t cure everything, but it’s like changing the locks on your house every night just in case.
Use Secure Messaging Apps
Apps like Signal and WhatsApp use strong encryption, which keeps out most eavesdroppers. Unfortunately, Pegasus has been known to exploit them too. So, while using secure apps is smart, remember: encryption keeps your nosy neighbor out, but not necessarily a professional spy tool.
Reduce Your Attack Surface
No, this doesn’t mean cutting carbs – although, come to think of it, not a bad idea. It means turning off the stuff you don’t use. Don’t need Bluetooth? Switch it off. Not using FaceTime or iMessage? Disable them. Every extra service is another door Pegasus can try to pry open. Think of it as digital minimalism: the fewer gadgets left running, the less chance something sneaks in.
Try Lockdown Mode
If you have an iPhone and you’re really worried Apple’s Lockdown Mode, available on iOS 16 or later, is like slamming every window and bolting every door. It restricts attachments, disables complex web technologies, and basically tells hackers, “Not today.” It may cramp your browsing style, but for high-risk folks, it’s worth the trade-off.
Remember: You’re Probably Not Pegasus’ Type
Don’t take offense, but unless you’re a journalist, politician, activist, or tech billionaire, the odds of Pegasus knocking on your digital door are slim. Still, adopting these habits won’t just protect you from elite spyware – it’ll help you avoid garden-variety malware, phishing scams, and the digital equivalent of a raccoon rummaging through your trash.
P.S. There’s a tool for that
It’s not for the faint of heart or code-wary, but there’s a tool to help detect Pegasus. It’s called the Mobile Verification Tool (MVT), developed in part by Amnesty International and it’s available here.
Also, remember if you’re not clicking links in emails or articles, you can just type it into your address bar.
Here’s wishing you a James Bond/Dr. Evil-free phone and happy computing.