Pegasus doesn’t need you to click anything. Here’s how it gets in.

The most dangerous thing about Pegasus is not what it does once it is on your phone. It is how it gets there.

Most people who work in sensitive environments have internalised the basic rule: don’t click links from sources you don’t trust. Don’t open attachments from unknown senders. That discipline is real and it matters. It also does not protect you from Pegasus, because Pegasus stopped needing you to click anything years ago.

What Pegasus actually is

Pegasus is a commercial surveillance tool developed by NSO Group, an Israeli company that sells exclusively to government clients. It is not sold to private individuals or corporations. The governments that purchase it use it to surveil targets, and the documented list of targets includes journalists, NGO workers, human rights lawyers, diplomats, and heads of state.

It is, by any technical assessment, among the most capable mobile surveillance tools ever built. It runs invisibly. It exfiltrates messages, calls, emails, contacts, photos, location data, and can activate the microphone and camera. Once installed, the device is effectively transparent to whoever deployed the tool.

The zero-click attack

For most of its history, Pegasus relied on what is called a “one-click” attack: a malicious link sent to a target that, when clicked, exploited a vulnerability in the phone’s browser or a linked application to install the spyware. The attack required the target to do something.

Citizen Lab and Amnesty International’s Security Lab documented a shift. Pegasus began exploiting vulnerabilities in applications that are running on your phone whether you are using them or not: iMessage, WhatsApp, FaceTime, and other apps that process incoming data automatically. The attack arrives as a message, or even just as data sent to a port your phone has open, and the installation completes without any action from you. You do not see a notification. You do not receive a suspicious link. Nothing appears out of the ordinary, because nothing happened in the ordinary sense.

In September 2021, Citizen Lab disclosed a zero-click exploit targeting a fully patched iPhone running iOS 14.7.1. The vulnerability was in Apple’s image rendering library, triggered by a malicious PDF delivered silently through iMessage. Apple patched it. More followed. (See: what happens after the compromise — what they can extract in 6 hours.)

Who has been targeted

The documented cases are not abstract. In 2021, Amnesty International and Forbidden Stories published the Pegasus Project, a forensic investigation involving seventeen media organisations. The investigation identified 50,000 phone numbers selected as targets by NSO Group clients. Among the confirmed targets: journalists at major international outlets, a French cabinet minister, the fiancée of Jamal Khashoggi, multiple heads of state, and dozens of human rights activists and NGO workers operating in regions of political sensitivity.

In the specific context of NGO workers: Citizen Lab documented Pegasus infections on the phones of activists and civil society workers in multiple countries, including individuals with no obvious media profile whose primary exposure was working in environments where a government client had an interest in their organisation’s activities.

The selection criterion for targeting is not celebrity or fame. It is operational relevance to whoever purchased the tool. (See: the threat profile for long-term deployment.)

What makes it nearly impossible to detect

Pegasus is designed for operational invisibility. It consumes minimal battery. It uses cellular data rather than Wi-Fi where possible, and in limited quantities, to avoid detection through usage anomalies. It can self-destruct if it detects it is being analysed. Older forensic indicators that Citizen Lab developed to detect it were patched in later versions.

The most reliable detection method currently available to civilian researchers is Mobile Verification Toolkit, developed by Amnesty International’s Security Lab. It analyses phone backups for forensic artifacts associated with known Pegasus versions. It requires technical competence to run correctly, and it can only detect what has been identified. A new version using an undiscovered exploit would not appear in its database.

No commercially available antivirus software reliably detects Pegasus. The security tools on your phone are not built for this threat level.

What you can actually do

The honest answer is that individual defences against a zero-click Pegasus attack, deployed by a well-resourced government with a legitimate licence, are limited. This is not a problem that a VPN solves. It is not a problem that a strong password solves. Pegasus operates above the layer where those tools function.

What changes the calculation is not technical hardening. It is reducing the probability of being targeted in the first place.

Understand who has the capability to deploy Pegasus and who their clients are. NSO Group sells to governments. Not every government has access. Not every government with access targets NGO workers indiscriminately. Knowing the specific threat environment of your deployment is step one. (See: the operational framework this fits into.)

Periodic device replacement. A device compromised by Pegasus cannot be reliably cleaned by the user. The only guaranteed remediation is a new device. For individuals in high-risk deployment contexts, periodic device replacement on a schedule is the only reliable mitigation available outside of professional forensic analysis.

Lockdown Mode on iOS. Apple introduced Lockdown Mode in iOS 16 specifically in response to commercial spyware threats. It disables a significant number of attack surfaces, including some that have been exploited in documented Pegasus attacks. It limits functionality, by design, but for high-risk individuals it is the most meaningful single mitigation an individual can take on their own device.

Keep software updated. Most successful Pegasus attacks in documented cases exploited vulnerabilities that were subsequently patched. A phone running current software is not immune, but it narrows the available attack surface. Delay on updates is a real and frequently exploited gap.

Compartmentalisation. The phone used for high-sensitivity communications in a high-risk environment should not be the phone used for everything else. It limits the value of the device if compromised. It also means that a compromise of your personal phone does not automatically extend to operational communications.

What Lockdown Mode actually does

Enabling Lockdown Mode in Settings > Privacy & Security > Lockdown Mode disables iMessage link previews, blocks most message attachment types, disables FaceTime calls from contacts not in your address book, restricts web browsing features, and blocks wired connections to computers when the device is locked. These are the specific surfaces that have been exploited in documented Pegasus attacks. It will change how you use your phone. For the specific threat it addresses, that trade-off is correct.

Frequently asked questions

Can Pegasus be installed without me clicking anything?

Yes. Documented zero-click attacks have exploited vulnerabilities in iMessage, WhatsApp, and other applications that process incoming data automatically. The installation completes without any action from the target. Apple, WhatsApp, and other affected companies have patched the specific vulnerabilities used in documented attacks, but new vulnerabilities are discovered and exploited on an ongoing basis.

Who is targeted by Pegasus?

Governments that have purchased access to Pegasus from NSO Group select their own targets. The documented target list from the 2021 Pegasus Project investigation included journalists, NGO workers, human rights lawyers, political figures, and activists. The common thread is operational relevance to a government client, not public profile or fame.

Does Lockdown Mode protect against Pegasus?

Lockdown Mode reduces the attack surface by disabling specific features that have been exploited in documented Pegasus attacks. It is the most meaningful individual mitigation available on iOS for this threat. It does not make a device immune to all zero-click attacks, particularly those using undisclosed vulnerabilities, but it significantly narrows the available options for attackers.

Can I detect Pegasus on my phone?

Amnesty International’s Mobile Verification Toolkit can identify forensic artifacts associated with known Pegasus versions in phone backups. It requires technical competence to run and cannot detect versions using previously undiscovered exploits. No commercially available security software reliably detects Pegasus.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.