Skip to the content

Gavin Wood, CTO at Chess, summarises in a 3 minute read what Pegasus Spyware is and how it can hack your phone. He covers:

What is Pegasus Spyware?

Unlike what is usually considered malware, Pegasus is a very specific type of cyber warfare known as spyware developed by a commercial business called NSO Group.

The Pegasus software or, more accurately, the group of exploits that form Pegasus can exploit all recent iOS versions up to iOS 14.6. As of 2016, Pegasus could read text messages, track calls, collect passwords, location tracking, access the target device's microphone and camera, and harvest information from apps.

Pegasus was discovered in August 2016 after a failed installation attempt on the iPhone of Ahmed Mansoor, a human rights activist, which led to an investigation revealing details about the spyware, its abilities, and the security vulnerabilities it exploited.


Pegasus Spyware in 2021

In July 2021, an in-depth analysis by human rights group Amnesty International uncovered that Pegasus was still being widely used against high-profile targets, alongside a well-publicised leak of up to 50,000 phone numbers of potential Pegasus targets. It showed that Pegasus could infect all modern iOS versions up to iOS 14.6 through a zero-click iMessage exploit.



How does Pegasus work?

The Pegasus software can be installed in two ways. The target (and I am using the word target here very specifically) can be sent a text message / WhatsApp message with a link. If this link is clicked, then the malware is installed, similarly to other types of malware. However, Pegasus is extra special because it's been shown to use a zero-click exploit in iMessage. The user does not even need to read the message but simply receive it, and the chain of zero-day exploits allow the software to be installed.



How can you protect yourself from Pegasus Spyware?

Good cyber hygiene practices can help prevent infection from Pegasus or any other type of malware. Phishing (or Smishing) works because these attacks take advantage of human nature to generate a result. Recently, there has been an alarming rise in WhatApp fraud, tricking people into sending money to 3rd party bad actors (often claiming to be family members). This could easily be directed into clicking links and installing software.

As a rule, if you don't know the sender, or if something doesn't look right, double-check - call the contact before clicking the link or transferring those funds.


Security Threats, Tools for Protection and The Ever Changing Landscape 

Mimecast & Chess Video Series

Watch Now


Should I be worried?

According to the excellent article by Kim Zetter, "NSO Group says Pegasus is sold only to governments and law enforcement agencies for purposes of tracking terrorists, paedophiles and other criminals. But a number of repressive regimes with poor human rights records have been caught using the tool to spy on human rights activists, journalists and anyone else who is critical of their regime." NSO themselves don't know how many installations there have been of Pegasus.

Pegasus is a nation-state cyber warfare tool designed to go undetected and track high-value targets. The costs alone in buying Pegasus and or a Zero-day exploit to be used are huge, and widespread use comes with its drawbacks. The fewer people know about the tool, the longer it will go undetected.


So, should you be worried about Pegasus?

In all reality, probably not. However, there are plenty of other threats you should consider - malware, credential-stealing software, phishing/smishing attacks. You should take preventative measures to protect your devices. A good mobile device management (MDM) platform such as Intune from Microsoft or Sophos' Mobile Security will ensure device compliance in a business environment. Regular patching and user awareness training will also play their part in keeping you and your business secure.

To learn more about how you can protect your organisation, book your free 30-minute security assessment with one of our penetration testers. Get agnostic advice from industry experts on how secure your business. Request here >

Recommended Content

Vulnerability Assessment v Penetration Test

Vulnerability Assessment v Penetration Test

Gavin Wood, CTO at Chess, explains the difference between Vulnerability Assessment and Penetration Testing and their applications.

Your Security Questions Answered

Your Security Questions Answered

Dan Cooper, Security Consultant at Chess, answers three key questions every small to medium-sized business asks themselves about protecting their data.

Gavin Wood

Gavin Wood

Gavin Wood is the Chief Technology Officer at Chess. With over 20 years in the IT industry, Gavin has a track record of driving successful business transformation through technology. An avid yachtsman, he's a massive advocate for remote working and anywhere operations. 

Speak to a Product Specialist

You can fill out the form and one of our product specialists will contact you shortly with more information.
To contact our Sales team directly, please call 0344 770 6000 and choose option 4.
Customer Service
For general queries or to report a non-urgent fault, please log a ticket on our customer portal using the email address associated with your account. Logging a ticket is quick and easy to do. Once you have logged your ticket, we will respond within 24 hours or your Service Level Agreement, whichever is quicker.
I agree for my information to be used for marketing communications.
Chess Privacy Notice

By submitting your personal information through this form, you consent to your information being processed in accordance with the Chess group privacy notice.