Device security · Threat guide

How to protect your phone from Pegasus-class spyware.

By Helix · ~2,100 words · A realistic defense guide, honest about the limits

Pegasus-class spyware is the most serious threat a phone faces, and it's surrounded by more myth than almost any topic in security. Some people think it's unstoppable magic; others think a single app will swat it away. Neither is true. This guide gives you the realistic version: what this class of spyware actually does, the hardening steps that genuinely raise your cost to an attacker, how honest detection works, and — most importantly — a frank account of what any app can and cannot see beneath the operating system. If you're a journalist, lawyer, executive, or activist who could plausibly be targeted, this is for you.

1. What "Pegasus-class" actually means 2. Why encryption alone doesn't help here 3. Hardening that actually works 4. Honest detection: finding what got in 5. What an app can and can't see beneath the OS 6. If you think you're already infected 7. Where Helix fits 8. The honest limits 9. The bottom line

1. What "Pegasus-class" actually means

"Pegasus" is the best-known name, but the category is broader: mercenary, commercially sold spyware that targets specific individuals. The defining traits are consistent across vendors. It is usually delivered by a zero-click exploit — a malicious message, call, or media file that compromises the phone with no tap or mistake from you. It runs with deep privileges, often at or near the kernel. And once resident, it reads your messages after they're decrypted on screen, captures keystrokes, harvests photos and contacts, and can turn on the microphone, camera, and location at will. For the full anatomy, see how Pegasus works.

The crucial point: this is targeted, expensive tooling. It is not sprayed at millions of people like ordinary malware. That fact shapes the entire defense — your goal is not to be invincible, it is to be expensive and noisy enough that the attack isn't worth it or doesn't stay hidden.

2. Why encryption alone doesn't help here

People reach for "I use an encrypted messenger" as their answer, and against this threat it does almost nothing. End-to-end encryption protects a message in transit — ciphertext on the wire. Pegasus-class spyware doesn't touch the wire. It sits on the endpoint and reads the plaintext the moment your app decrypts it for you to read, or captures your keystrokes as you type. The encryption did its job perfectly and the attacker simply waited until after it finished. Defending against this class is therefore a device problem, not a messaging problem. Encryption is necessary; it is nowhere near sufficient.

The hard truth: against an endpoint implant, the strength of your encryption is irrelevant. The attacker reads your screen, not your traffic. Defense has to live on the device, in hardening and detection — not only in the messenger.

3. Hardening that actually works

None of these make you immune. Each one measurably raises the cost and lowers the odds, and stacked together they matter.

Update relentlessly, and reboot. Most zero-click chains exploit known, patched bugs against people who are behind. Patch the day updates land. A periodic reboot can also evict non-persistent implants that don't survive a restart — a small habit with real value.
Turn on the platform's lockdown setting. Apple's Lockdown Mode and the equivalent hardening on a security-focused Android build disable the exotic message-parsing and preview features that zero-click exploits ride in on. It costs you a little convenience and removes a lot of attack surface.
Shrink the inbound surface. Disable link previews and auto-download of media. Don't open attachments from unknown senders. A surprising share of zero-click payloads arrive as a "message" your phone tries to render before you even look at it.
Reduce app count and permissions. Every app is potential surface. Remove what you don't use; revoke mic, camera, and location from apps that don't need them.
Harden the identity layer. Get your 2FA off SMS and watch for a SIM swap. A number takeover is a common first step in a broader targeting campaign.
Consider a hardened OS for the highest risk. A stripped, de-Googled build such as GrapheneOS removes default-trusted services and gives you visibility a black-box consumer OS can't.
Protect the physical and travel layer. Watch for evil-twin Wi-Fi, and use a real border mode to minimize what's on the device before a crossing.

4. Honest detection: finding what got in

Because prevention is never total against this class, detection is the other half of the strategy — and the half most products skip. Honest detection works by matching the state of your device against a feed of real-world indicators of compromise: malicious process names, known command-and-control domains, suspicious configuration profiles, anomalous file artifacts, and the forensic traces documented by researchers like Amnesty International's Security Lab and Citizen Lab. When a match appears, you get a timestamped alert instead of being watched in silence. That conversion of silence into a signal is the single most valuable thing detection does. We go deeper in real-time Pegasus detection, and pair it with a mic and camera monitor that fires when an app reaches for your sensors.

5. What an app can and can't see beneath the OS

This is where honesty separates a real tool from snake oil, so let's be precise. A security app runs in userspace — the same privilege layer as your other apps. From there it can see a great deal: running processes, network connections, configuration profiles, file artifacts, sensor access requests, and signs of tampering or an unexpected reboot. That is genuinely useful, and it catches the overwhelming majority of indicators that mercenary spyware leaves behind.

But a Pegasus-class implant that has achieved kernel-level privilege sits beneath the app. In principle it can hide its own processes, filter what the OS reports, and lie to anything in userspace asking questions — including a security app. No userspace tool can fully guarantee it sees a sophisticated kernel implant that is actively hiding. Anyone who tells you their app "removes Pegasus" or "makes you immune" is either confused or lying. The honest claim is narrower and still valuable: a good detector finds known indicators and risky states, raises the attacker's cost, and turns many silent compromises into loud ones. It is a strong signal, not a guarantee.

6. If you think you're already infected

If you have real reason to believe you're targeted, treat the suspect device as compromised and stop using it for anything sensitive. Don't try to "clean" it in place — assume it's listening. Use a separate, trusted device to change critical passwords and revoke sessions. Preserve the suspect phone for forensic analysis rather than wiping it; the artifacts may matter. And get help from a qualified digital-security responder — organizations like Access Now run a digital security helpline for civil society. Speed and calm both matter more than heroics.

7. Where Helix fits

Helix is built for exactly this two-part strategy: prevention where it's possible, detection where it isn't. On the device side it runs live mercenary-spyware detection against a feed of thousands of real-world indicators, plus daily malware scanning, evil-twin and network detection, and a mic and camera monitor — on standard iOS, Android, Windows, macOS, and Linux, the phone you already carry. On the comms side it removes the most common inbound channel for zero-click payloads: messaging runs on Helix's own closed network with no phone number and bespoke post-quantum protocols, giving a pre-built exploit nothing standard to aim at. For the highest-risk users, the optional Helix Hardened Phone starts from a locked-down GrapheneOS foundation, and the coercion layer — duress unlock, decoy vault, auto-wipe, and remote wipe — is built in.

$199/month Core · $499/month Operator · $999/month Sovereign — or 30% off paid annually; lifetime VIP $12,500.

8. The honest limits

No phone is unhackable. A sufficiently funded adversary with a pristine zero-day can compromise any device, including a hardened one, and a kernel-level implant can hide from userspace tools. Detection finds known indicators and risky states — it is a strong signal, not a guarantee. The honest goal is to make you expensive to attack and hard to surveil quietly, not invincible.

What serious defense buys you is not a magic shield; it's a dramatically higher cost of attack and a tripwire if someone pays it. Off-the-shelf targets get hit with reused tooling; a hardened, monitored, own-protocol device forces an adversary to burn a rare capability and operate without a single mistake to stay hidden. Detection turns their greatest advantage — silence — into a timestamped alert. That is what winning realistically looks like against this class.

9. The bottom line

You protect a phone from Pegasus-class spyware the way you defend anything against a determined attacker: shrink the surface, patch relentlessly, harden the device and the identity, remove the standard inbound channel, and — because prevention can't be total — watch the device so a compromise can't stay quiet. No single download makes you immune, and anyone who promises that is selling a feeling. The realistic, honest goal is to be expensive and noisy enough that the attack fails or gets caught. That posture is exactly what Helix is built to give you.

Get Helix — from $199 How Pegasus works

Three tiers, fixed and published. Core, Operator, Sovereign — or 30% off annually, lifetime VIP $12,500. Buy it or don't; no negotiation, no surprises.