How to Detect Pegasus Spyware on iOS and Android?

Pegasus has been in the headlines of major media outlets for a couple of weeks now, resurfacing such burning issues as freedom of expression and privacy concerns. The hype over Pegasus is quite reasonable: it is one of the most powerful and covertly operating software in its niche. With more and more witnesses confessing their Pegasus experiences, people now want to know how to check for Pegasus spyware and what security measures to take to keep their private data intact.

In this article, we’ll cover:

What Is Pegasus?

Pegasus is an intelligence surveillance solution designed to help governments combat terrorism and crime, according to NSO Group, an Israeli-based tech agency that built this software.

When landed in the wrong hands, however, Pegasus is nothing else but spyware extracting highly sensitive personal information from the targeted individuals’ mobile devices.

The reason why the software was named after a Greek mythology creature lies in its capability to be installed remotely, literally, over the air. The latter is Pegasus’ distinctive feature as most malware requires some kind of user interaction, like clicking a link or a button.

How Does Pegasus Work?

According to the Pegasus official product documentation, the software can be installed either remotely or injected directly into the target’s phone.

Remote Installation

This method of injecting Pegasus requires the targeted individual’s phone number or email; however, no or minimal user activity is needed to launch the installation. The latter can be performed via:

  • Over-the-Air (OTA). The name of this technique is quite metaphorical, alluding to the spyware transmission mode’s similarity to the effortless fly of the Ancient Greece winged horse. The exact technical realization is a commercial secret, yet this feature is what distinguishes Pegasus from a range of similar solutions. The OTA method most likely relies on zero-day and zero-click vulnerabilities. What happens is that the threat agent uses the victim’s phone number or email to send a push message that triggers the device to install Pegasus. The entire process happens covertly with zero engagement from the affected user. The installation is completed without any notifications disturbing the target, leaving them unaware of the intrusion.
  • Social Engineering Message. This technique is well-known by cybersecurity experts and the general public. A carefully crafted SMS or email is sent to the target. Its contents lure the person into opening it and clicking a malicious link. After a successful click, whether accidental or intentional, Pegasus will launch the installation, again, in complete silence.

Physical Installation

Pegasus can also be installed manually, and the entire procedure takes about five minutes. Obviously, this method is impossible without physical access to the target’s phone. After the installation is over, the device can be surveilled remotely, just like in the cases above.

Data Management

All the data Pegasus collects goes to an encrypted and well-hidden buffer. To mask the process of temporary data storage, the buffer consumes no more than 5% of the phone’s storage – quite a small percentage, which is unlikely to raise any suspicion in the user. Moreover, once the data is successfully transmitted to the server, the buffer is cleared.

What Data Can Pegasus Harvest?

Pegasus is undoubtedly very powerful and highly invasive spyware. With zero-click attacks, be it an unopened iMessage, or unanswered FaceTime, or WhatsApp call, it can penetrate targeted devices in the most surreptitious way.

Once in, Pegasus can instantly extract and monitor in real-time all the available data, such as:

  • SMS
  • Emails
  • Instant Messenger Chats (including encrypted ones like Signal or Telegram)
  • Calendar records
  • Browsing history and saved favorites
  • Location tracking (GPS and Cell-ID)
  • Device information (model, network, connection, battery level, etc.)

Pegasus can also ask the device to perform a range of other requests like:

  • Turn GPS on for data sampling and turn it off right after
  • Turn on the microphone and start recording (in idle mode)
  • Record calls
  • Retrieve files and folders
  • Take photos from the front and rear cameras (in idle mode, no flashlight, picture quality can be customized for faster transmission)
  • Take screenshots
Need Help in Security Testing?

Go and Get It

Victims of Pegasus Spyware

Pegasus is not a new phenomenon. It’s been in the works for a long time, and the first time the world discovered it goes back to 2016 when a failed attempt to jailbreak a human rights activist’s iPhone ignited further investigation and a spike in media coverage.

Since then, Pegasus made it to the news several more times. In 2017, for instance, over 70 Pegasus injection attempts were reported by Mexican journalists. In 2019, WhatsApp sued NSO for exploiting their instant messenger vulnerability to hack WhatsApp users’ devices.

In 2021, Pegasus is back in the spotlight, raising concerns about the freedom of the press and surveillance abuse by intelligence organizations worldwide.

Client Countries Affected Individuals General Stats
Azerbaijan Journalists 50K phone numbers leaked
Bahrain Human rights activists 600+ gov officials targeted
Hungary Cabinet ministers 189 journalists targeted
India Diplomats 85 human rights activists targeted
Kazakhstan Military officers 65 business execs targeted
Mexico Security officers 37 confirmed attacks
Morocco Business owners 40+ countries are NSO clients
Rwanda C-level executives 60+ organizations use NSO services
Saudi Arabia Heads of states 17 media organizations investigating the issue
UAE Prime ministers 2018 – first zero-click attack spotted
UAE Royal family members 1400 WhatsApp users affected
Sources: BBC, The Washington Post, Amnesty International
50K phone numbers leaked
Human rights activists
600+ gov officials targeted
Cabinet ministers
189 journalists targeted
85 human rights activists targeted
Military officers
65 business execs targeted
Security officers
37 confirmed attacks
Business owners
40+ countries are NSO clients
C-level executives
60+ organizations use NSO services
Saudi Arabia
Heads of states
17 media organizations investigating the issue
Prime ministers
2018 – first zero-click attack spotted
Royal family members
1400 WhatsApp users affected

How to Detect Pegasus Spyware on iOS and Android?

Although Pegasus is no threat to an average mobile user – for one, this kind of campaign costs millions of
dollars – it’s always a good idea to keep yourself informed of the latest security solutions.

When it comes to stalkerware, it usually makes your phone behave in an odd way. If you’re attentive enough, you’ll be able to spot some red flags, such as:

  • Unexpected notifications or calls
  • Battery drain
  • Increased storage consumption
  • Unreasonable overheating
  • Random shutdowns and restarts
  • Prolonged shutdown time or difficulty to reboot the device
  • Sluggish performance
  • Files with unusual extensions
  • Weird noises during calls
  • Screen lighting up in standby mode
  • Suspicious apps you don’t remember installing and ever using

The problem, however, lies in that spyware developers are well-aware of these signs and continuously elaborate their attack strategies to obfuscate any traces of malware on your device. For example, Pegasus causes minimal battery drain and will stop transmitting data when the charge level falls below 5%.

So here arises the question of how to detect Pegasus spyware. It’s easy to get confused and eventually drown in the plethora of modern-day security apps. We’ll break it down for you and focus only on the apps that are specifically designed to identify traces of Pegasus spyware on mobile phones.

Mobile Verification Toolkit

This app was released by Amnesty International, a human rights group with over ten mln members worldwide. The organization has been gleaning information on the Pegasus spyware for several years and used the results of its investigation to build a security app performing forensic analysis of iOS and Android devices.

MVT’s source code is available to the general public, so it can be considered open source, even though its license imposes some use restrictions, mainly to prevent cases of adversarial forensics. What all this implies is that the tool can only be used if the person whose phone will be scanned gave their consent.

Currently, MVT has no GUI, which means it requires some knowledge of command-line tools. Moreover, it is primarily designed for forensic analysis experts and investigators, so non-technical users would still need to turn to professionals for help.

Nevertheless, if you are a tech-savvy user curious to explore the tool, here you can find the MVT documentation on how to install and run it.

MVT Features

MVT can only run on Linux and Mac, so Windows users would also need to install the Windows Subsystem for Linux to be able to use it.

Although MVT can be used to scan both iOS and Android phones, it shows better results for Apple devices, and its Android functionality is quite limited.

Here are the major things you can do with MVT to facilitate your forensic analysis:

  • Decode encrypted iOS data
  • Process and parse data from multiple iOS apps and the system database
  • Retrieve info on installed Android apps
  • Use adb protocol to retrieve diagnostic info from the Android device
  • Scan the extracted records for the presence of malicious indicators in STIX2 format
  • Create a chronological timeline of all the retrieved records
  • Create a chronological timeline of suspicious artifacts and potentially hazardous traces

MVT Challenges

Once again, MVT is not a tool one should mess around with, as improper use may cause personal data loss or deterioration of the device performance. For example, if creating iTunes or Finder backup did not yield the desired results, jailbreaking the phone would be the next step to take. The latter, however, is not recommended if you intend to use that iPhone again.

All in all, here are the factors to consider before using MVT:

  • False positives are common (here expert advice is needed to filter the alerts)
  • Access to the full file system requires a jailbreak
  • Not every iPhone or iOS version is suitable for jailbreak
  • Jailbreaking may pollute some records or cause the device to malfunction
  • Android checks are limited to analyzing APKs and SMSs
  • The tool is difficult to use for non-techies

iVerify 20.0

According to Ryan Stortz, Head of Product at Trail of Bits, the latest version of iVerify will now alert you of any traces of Pegasus spyware on your phone.

Embedded Tweet

Unlike MVT, iVerify is a proprietary, consumer-facing software, which means it has an easy-to-use GUI and admin panel. The product offers two plans – one for enterprise and the other for individual security, readily available in the App Store.

For enterprises, iVerify is subscription-based, costing $3 per user monthly, whereas individual consumers can get the app with a one-time purchase for $2,99.

iVerify Features

Like any other app in the cybersecurity niche, iVerify cannot guarantee 100% protection. The app runs security checks every ten minutes to scan the phone’s system for signs of jailbreaks and infections. For example, it will pay attention to known bad files or suspicious folders and URL handlers that shouldn’t have existed there in the first place.

Let’s have a look at some of the app’s core features:

  • Device Scans to ensure all crucial settings are configured properly
  • Protection Guides to educate users on how to implement multiple security layers
  • Threat Detection to respond to security alerts in real-time
  • Secured Accounts to verify the security of social media platforms and service accounts
  • Secured Browsing to protect your privacy while searching

So if you ever wonder, ‘How to find spyware on my phone’, you’ll immediately know what cost-effective and reliable app you could use.

Enterprise users also have several exclusive features, such as a risk analysis dashboard for immediate insights on the entire organization, seamless user import from Okta, GSuite, or Azure AD, and an admin panel to manage devices.

iVerify Challenges

As we mentioned above, iVerify is designed for end-users, so it doesn’t require a strong technical background for consumers to be able to install it and enjoy its immediate benefits. At the same time, the product is still being developed, and it has some shortcomings, such as:

  • Integrations for member management are limited (Okta for SSO, GSuite, Azure AD)
  • Android support is yet to be released
  • iVerify cannot tell if specific apps are installed
  • iVerify does not scan network data

Other Spyware like Pegasus

Pegasus is not the only spyware that got in the eye of the storm. If we turn to Google and dig deeper on Pegasus alternatives, we’ll be able to discover several more options in no time. And we’re not talking about “mass market” spyware like Spyera, XNSPY, or FlexiSPY. The latter solutions are primarily designed for parental control, employee monitoring, or paranoid spouses. Moreover, they cannot be installed remotely as they require manual installation and some features may require a jailbreak or root access.

Speaking of surveillance tools of a nationwide or global impact, we can name a few.


FinFisher, also known as FinSpy, is the cyber investigation software developed by a German-based IT company in 2008. According to the official website, the company provides its services exclusively to law enforcement and intelligence agencies, and its mission is to fight organized crime.

FinSpy is a multi-platform solution that infects Windows, macOS, Linux, iOS, and Android systems. To implant FinSpy in an iOS device, the threat agent would first need to jailbreak the OS manually, and only then could they install the spyware. The remote infection is done either via SMS, email, or WAP push. As for Android, FinSpy also makes it possible to utilize root privileges on an unrooted device by exploiting known vulnerabilities.

FinSpy resembles Pegasus in that it can also collect information from instant messengers, including those considered most secure – Telegram, Signal, and Threema. On top of that, FinSpy can record VoIP calls, be it WhatsApp, Skype, WeChat, LINE, Signal, or Viber.


Candiru is spyware developed by an Israel-based company currently registered by the name Saito Tech Ltd. The spyware clientele is predominantly made up of government organizations and authoritarian leaders. Candiru can infect desktop, mobile, and cloud users.

Unlike FinFisher, Candiru is not openly marketed, and its infrastructure remains well-hidden. Considering the leaked by TheMarker proposal describes Candiru, the spyware can extract and actively monitor lots of private data – from contacts, SMSs, and browser history to Dropbox, Google Drive, and instant messenger contents. Candiru can also intercept calls, record the surroundings, take screenshots, and display the Wi-Fi network and its changes.


Imagine having not a single spyware solution but an entire surveillance toolkit, a one-stop shop for offensive cybersecurity. That’s exactly what Intellexa claims to offer.

Intellexa positions itself as an alliance of cyber intelligence organizations catering to the needs of intelligence and law enforcement agencies. It has combined the expertise of three tech companies – Nexa, WiSpear, and Cytrox – specializing in sensor interception & big data analytics, Wi-Fi surveillance solutions, and data collection from end-point devices and cloud services, respectively.

How to Protect Yourself Against Spyware

While Pegasus still remains a mystery in many aspects, especially when it comes to its technical realization, following tried-and-true security measures and recommendations can go a long way in protecting your privacy and data integrity.

Here are simple steps one can take to diminish the harm inflicted by Pegasus itself and Pegasus-like spyware:

  • Restart your phone. In such a way, you can stop Pegasus from functioning for some time. This hack applies to iOS devices only.
  • Go back to default settings. Before making this step, it’s important to remember that factory reset will wipe all the personal data along with potential malware traces. Factory reset does not guarantee Pegasus removal, especially considering data recovery is still possible.
  • Update your software. Keep your OS and all the installed apps promptly updated to reduce the risk of zero-day vulnerabilities being exploited.
  • Remove suspicious devices. Check if your instant messengers and online accounts are connected to unknown devices.
  • Change passwords. Write down all the passwords stored in your smartphone and reset all of them.

Summing Up

The recent findings on Pegasus’s intrusiveness and subtle nature have made many of us reconsider our attitude to personal and enterprise security. While Pegasus is a matter of international concern, we are all responsible for educating ourselves and implementing necessary security controls to protect our identities and data integrity. Pegasus is unique in many ways, yet it is not the only spyware on the market; tons of other apps might have been abused. If you fear someone spies on you or your company security is lagging behind, contact a professional security expert before the intruder eavesdrops on your every move.

Have you ever faced traces of spyware on your devices? Please share your stories in the comments!

Did you know over 5.6 malware attacks happen every year?

Protect your software from hackers in the development stage.
How to Detect Pegasus Spyware on iOS and Android?