How Pegasus spyware works — and why it beats "encrypted" apps

Pegasus is the most consequential piece of spyware ever built for phones. It can land on a fully updated device without a single tap from the victim, and once it's there it owns everything. This is how it works, who builds it, who it hunts, and what actually stops it.

1. What Pegasus is — and what it is not

Pegasus is commercial spyware: a remotely deployed surveillance implant for smartphones, sold as a product to government clients. It is not a virus that spreads on its own, not something you catch by browsing the wrong website by accident, and not a tool aimed at the general public. It is a precision weapon, pointed at specific people, and it is extraordinarily good at what it does.

The reason Pegasus matters to anyone thinking seriously about privacy is simple: it shattered the comfortable assumption that a careful person is safe. For years, security advice boiled down to "don't click suspicious links, keep your software updated, use encrypted apps." Pegasus made all three of those things insufficient at once. It can infect a current, patched iPhone or Android device with no link to click and no action by the victim, and it routinely defeats the encrypted apps people trust — not by breaking their cryptography, but by stealing the data before or after it is encrypted, directly on the device. Understanding why is the whole point of this article.

2. Who builds it: the mercenary-spyware industry

Pegasus is the flagship product of NSO Group, an Israeli company founded in 2010. But NSO is not alone. It is the most famous name in a sprawling, secretive industry of "lawful intercept" and "cyber-intelligence" vendors that sell intrusion capabilities to states. These firms market themselves as suppliers to law enforcement and intelligence services fighting terrorism and serious crime. In practice, the same capabilities have repeatedly been turned on journalists, lawyers, activists, opposition politicians and the relatives of dissidents.

The industry exists in a deliberate grey zone. Vendors argue they only sell to vetted government clients and are not responsible for misuse. Investigations by organizations such as Citizen Lab at the University of Toronto and Amnesty International's Security Lab — most prominently the 2021 "Pegasus Project," a collaboration of dozens of news outlets — have documented case after case in which the targets were not criminals but inconvenient critics. The result has been lawsuits, export-control actions, and one of the most damaging exposés in the history of the surveillance trade. And yet the market has not gone away; it has fragmented and multiplied, with new vendors stepping in wherever old ones falter.

3. Why it exists: the economics of intrusion

To understand Pegasus you have to understand the perverse market that funds it. Modern phones are, for most people, the single richest repository of their lives: messages, photos, location history, contacts, finances, calendars, and the microphone and camera that travel everywhere they go. They are also, increasingly, end-to-end encrypted. For a state that wants to read a target's communications, the network is going dark — content captured in transit is just ciphertext.

That created enormous demand for a way around encryption, and the answer was to attack the endpoint. If you can take over the phone itself, encryption is irrelevant: you read the message on the screen exactly as the user does. The capability that makes this possible — a reliable, remote, stealthy compromise of an up-to-date device — is rare and expensive to develop. It depends on chains of "zero-day" vulnerabilities (flaws unknown to the device maker, for which no patch exists). On the open market a single high-quality zero-click iPhone exploit can be worth millions of dollars. Vendors like NSO industrialize the discovery, chaining and packaging of these flaws, then rent the capability to governments for ongoing fees. The economics are brutal and simple: as long as states will pay millions to read a phone, someone will build the means to do it.

4. The first generation: one-click infection

Early Pegasus deployments relied on social engineering. The operator sent the target a text message or email containing a malicious link — often disguised as a news alert, a package-delivery notice, a message from a colleague, or bait tailored to the victim's interests and fears. If the target tapped the link, their browser silently loaded an exploit that compromised the device and installed the implant. The user saw, at most, a page that failed to load or redirected somewhere innocuous.

This worked, but it had a weakness: it required the victim to click. Sophisticated targets — the journalists and activists most likely to be surveilled — learned not to. Security trainers drilled "don't click unknown links" into exactly the population NSO's clients most wanted to watch. So the vendors invested in removing the click from the equation entirely. That investment produced the capability that made Pegasus infamous.

5. The leap: zero-click attacks

A zero-click attack compromises a device without any interaction from the victim. No tap, no preview, no decision. The target simply receives something — a message, a call, a file — and the mere act of the phone processing that data, automatically and in the background, is enough to trigger the exploit and install the implant. The victim may never even see the message; in several documented cases the malicious message was deleted by the attacker afterward, leaving almost no trace.

This is the nightmare scenario for defenders, because it removes the last line of defense that depended on the user. You can be the most disciplined, security-aware person alive, never click a link, never open an attachment — and still wake up owned, because your phone did the dangerous thing on your behalf the instant a crafted message arrived. The most well-known example, dubbed "FORCEDENTRY" by Citizen Lab and analyzed in depth by Google's Project Zero, exploited the way Apple's iMessage automatically processed incoming image files. No click was required; receiving the message was the attack.

6. Anatomy of a zero-click exploit chain

A modern zero-click compromise is not one bug; it is a carefully engineered chain of several, each one solving a problem created by the device's layered defenses. While the exact details differ by target and era, the shape of such a chain is consistent and worth understanding.

Step one: the entry point — a parser

Phones automatically process untrusted data all day long: images in messages, video thumbnails, audio in calls, web fonts, PDF previews, link previews. Each of those is handled by a "parser" — code that interprets a complex file format. Parsers are notoriously bug-prone because file formats are complicated and attackers control every byte. A flaw in an image or document parser that runs automatically on an incoming message is the perfect zero-click entry point: the attacker sends a malformed file, the phone parses it without asking, and a memory-corruption bug hands the attacker a foothold.

Step two: escaping the sandbox

That first foothold is usually trapped inside a "sandbox" — a restricted compartment that limits what the compromised component can do. Modern operating systems isolate apps and services precisely so that a bug in one place can't immediately take over everything. So the attacker needs a second vulnerability to break out of the sandbox and reach more privileged parts of the system.

Step three: defeating mitigations

Even with a memory bug, attackers face defenses like address-space layout randomization (which hides where code lives in memory) and pointer authentication (which makes it hard to redirect program flow). Reliable exploits include clever techniques to bypass these mitigations — sometimes building tiny "weird machines" out of the data the parser itself processes, computing the information they need from inside the bug.

Step four: kernel compromise and persistence

The chain culminates in code execution in the kernel — the core of the operating system — which grants control over the entire device. From there the implant can read any app's memory, intercept any sensor, and disable protections. Depending on the device and version, the implant may persist across reboots, or it may be deployed fresh each time (some implants live only in memory and vanish on restart, which is great for stealth and forensic evasion, since a reboot erases the evidence even as the attacker simply re-infects).

The engineering required to do all of this reliably, silently, against the latest hardware and software, is what makes these capabilities so valuable. It is also why they are scarce: only a handful of organizations on earth can build and maintain them, and every new operating-system update can burn an exploit that cost a fortune to develop.

7. Other ways in: network injection and more

Zero-click messaging exploits are the headline, but they are not the only delivery method. Vendors have used network injection: if an operator can position themselves on the network path — through a cooperative mobile carrier, a rogue cell-site simulator near the target, or a compromised Wi-Fi link — they can silently redirect an ordinary, unencrypted web request the phone makes in the background and inject the exploit into the response. The victim browses normally; the network does the rest.

Other vectors include physical access (briefly handling an unlocked device), SIM-based attacks, and tailored one-click lures for less careful targets. The common theme is that the attacker only needs one path to succeed, while the defender has to close all of them. That asymmetry is the defining feature of the entire problem.

8. What it does once it's inside

Once the implant is running with full privileges, the phone is no longer yours. Documented capabilities of Pegasus-class spyware include:

• Reading all messages — in any app, including end-to-end encrypted ones, because it reads them on the device after they are decrypted for display.
• Live microphone and camera access — turning the phone into a roving bug that records conversations and surroundings, even when no call is in progress.
• Continuous location tracking — a complete movement history, in real time.
• Harvesting stored data — photos, contacts, call logs, calendars, browsing history, notes.
• Stealing credentials — passwords, tokens and keys from the device keychain, which can then unlock cloud accounts and other services.
• Capturing keystrokes and screen content — seeing exactly what the user types and reads.

In short: total, silent, ongoing surveillance of a person's communications, movements and surroundings, exfiltrated quietly to the operator. The victim usually has no idea. There is no pop-up, no battery alarm loud enough to notice, no obvious sign. That invisibility is the product's most important feature.

9. Why end-to-end encryption can't save you

This is the single most important thing to understand, and the reason this article lives on the website of a company that builds encrypted communications. End-to-end encryption protects a message in transit, between your device and your contact's. It does not — cannot — protect a message that is sitting decrypted on a device the attacker controls.

When you read a message, your phone decrypts it and renders it on the screen. When you type a reply, you compose it in the clear before it is encrypted and sent. At those moments, the plaintext exists in the device's memory and on its display. An implant with kernel-level control simply reads it there. The encryption did its job perfectly — the ciphertext on the wire was unreadable — and it made no difference, because the attacker went around it by owning an endpoint.

This is why "we use end-to-end encryption" is a necessary but wildly insufficient claim against a Pegasus-class adversary. The defense has to extend beyond the cryptography to the entire surface that an attacker can reach and exploit: the parsers that process untrusted data, the apps that can be targeted, the network paths that can be hijacked, the metadata that betrays you even when content is safe, and the device platform itself. A messenger that only encrypts content is bringing a strong lock to a fight about whether the attacker can simply walk in through the wall.

10. Who gets targeted, and why

Pegasus is expensive and finite, so it is aimed deliberately. The documented target list reads like a directory of people who hold or threaten power:

• Journalists and their sources — to identify whistleblowers, kill stories, and map investigative networks.
• Human-rights activists and dissidents — to monitor, intimidate, and pre-empt organizing.
• Lawyers — to pierce privilege and learn an opponent's case, strategy and clients.
• Opposition politicians and their staff — to gain leverage during elections and negotiations.
• Business executives, dealmakers and their advisers — for commercial and strategic intelligence: positions, valuations, negotiating limits, M&A plans.
• Diplomats and officials — including, in reported cases, the phones of heads of state and their inner circles.
• Family members of all of the above — because the people around a target are the softest route to the target.

The through-line is that you do not have to be a criminal to be surveilled. You only have to be interesting to someone with the budget and the motive: a government, a litigant, a corporate rival, a hostile family faction in a fortune dispute. If your communications would change an outcome in someone else's favor, you are a candidate. High-net-worth individuals, family offices and trading firms are squarely in this category, which is exactly why the question "could I be a target?" is the wrong one. The right question is "what happens to me if I am?"

11. The fallout — and why it won't protect you

The exposure of Pegasus produced one of the loudest scandals in the history of surveillance. The 2021 Pegasus Project, built on a leaked list of tens of thousands of phone numbers selected as potential targets, put the issue on front pages worldwide. Forensic analysis by Amnesty International's Security Lab and Citizen Lab confirmed infections on the devices of journalists, activists, lawyers and people close to murdered reporters. The political shockwaves reached presidents and prime ministers whose numbers appeared in the data.

The legal and regulatory consequences were real. The United States added NSO Group to its Commerce Department Entity List in 2021, restricting its access to American technology. Apple and Meta's WhatsApp both filed lawsuits against the company over the targeting of their users. Investors and partners distanced themselves; the firm faced financial distress and leadership churn. On paper, this looked like accountability catching up with the spyware trade.

But here is the uncomfortable lesson, and the reason none of it should reassure you. Legal and political consequences are slow, selective, and they arrive long after the damage is done. A lawsuit filed years later does not un-read your messages, un-record your meetings, or un-expose your source. Sanctions on one company do not dismantle the industry; they create a vacuum that competitors rush to fill. The capability did not vanish — it dispersed. New vendors, new brands and new exploit chains have stepped into the gap, often selling to the same kinds of clients with the same lack of oversight. Some operate from friendlier jurisdictions specifically to dodge export controls.

For an individual at risk, the takeaway is stark: you cannot rely on the law, the press, or the device maker to protect you in the moment that matters. By the time a scandal breaks or a court rules, the surveillance has already happened. Accountability is a deterrent at the level of policy; it is not a defense at the level of your phone. The only thing that protects you in real time is your own posture — what you can deny the attacker before they ever get in. That is a decision you make in advance, not a remedy you seek afterward.

It is also worth dispelling a comforting myth: that this is only a problem for famous dissidents in faraway countries. The same tools are marketed for "commercial dispute" and "asset tracing" use cases, and the brokers who sell access do not advertise their full client lists. A bitter divorce involving real money, a contested inheritance, a hostile takeover, a competitor who wants your negotiating position — these are exactly the situations where someone with resources may decide that the contents of your phone are worth buying. The barrier has never been capability. It has only ever been whether you are worth the price, and to enough people, more targets are worth it every year.

12. Pegasus 2 and the zero-click arms race

"Pegasus 2" is shorthand for the obvious truth that the threat does not stand still. Every time a device maker patches a vulnerability or ships a new defense, the vendors adapt. The discovery of FORCEDENTRY led Apple to re-architect how iMessage processes risky content (a feature called BlastDoor) and, later, to ship Lockdown Mode — an optional, deliberately reduced-functionality mode that turns off many of the automatic-processing features attackers abuse. These were meaningful steps. They also confirmed the model: defense is reactive, attackers iterate, and the next zero-click is always in development.

The broader market has matched the pattern. As NSO faced lawsuits and sanctions, other vendors — selling functionally similar zero-click capabilities — gained ground. New exploit chains targeting messaging apps and core OS components continue to surface in the wild, found by researchers analyzing the phones of likely targets. The honest summary is this: a sufficiently resourced adversary can probably still find a way onto a standard, fully featured smartphone if they spend enough. The realistic goal of a defender is therefore not magical immunity, but to make yourself so expensive to compromise — and so worthless if compromised — that it isn't worth the multimillion-dollar exploit, and gains them nothing if they burn it on you.

13. Can you even detect it?

Barely, and not reliably. Pegasus is engineered for stealth: minimal footprint, in-memory implants that evaporate on reboot, deletion of the messages used to deliver it. Forensic tools exist — Amnesty's Mobile Verification Toolkit (MVT) can scan device backups for known indicators of compromise — but they depend on knowing what to look for, work best after the fact, and an absence of indicators is not proof of safety. For an ordinary user, there is no app you can install that will dependably tell you "you are infected." This is precisely why prevention and attack-surface reduction matter more than detection. By the time you could detect a top-tier implant, it has usually already taken what it came for.

14. How you actually defend yourself

There is no single switch. Real defense against a Pegasus-class adversary is a posture, built from layers that each remove something the attacker needs:

Shrink the attack surface

Every app, every automatic-processing feature, every reachable service is a potential entry point. The fewer there are, the fewer bugs an attacker can reach. Hardened operating systems such as GrapheneOS strip away unnecessary components, tighten permissions, and add exploit mitigations the stock platform lacks. Apple's Lockdown Mode is the same idea: disable the risky conveniences. Less surface, fewer doors.

Remove reachability

You cannot be sent a zero-click payload through a channel that strangers cannot reach. A phone number is a public address; anyone can message or call it, which is exactly how many implants are delivered. A closed system, where only people you have explicitly added can contact you at all, eliminates the inbound attack surface that open messengers expose by design.

Eliminate off-the-shelf targets

Exploits are written against specific, widely deployed software. The more standard and common the component, the more an exploit pays off. Communications built on bespoke protocols rather than ubiquitous, well-documented stacks give an attacker far less to aim a pre-built exploit at.

Protect metadata, not just content

Even when an attacker can't read your messages, the pattern of who you talk to and when is intelligence in itself. Routing that hides the relationship between sender and recipient denies the adversary the social graph they prize.

Compartmentalize and assume breach

Keep sensitive communications off your everyday phone and its everyday number. Use separate, hardened devices for high-stakes conversations. Assume any single device can eventually fall, and design so that one compromise does not expose everything: data that lives only on the device and can be wiped instantly limits the blast radius.

Keep everything current

Patches close the specific holes that yesterday's exploits used. Updating promptly does not stop a fresh zero-day, but it raises the cost and closes the long tail of cheaper, known attacks. It is necessary, just not sufficient.

15. Where Helix fits

Helix is built around exactly the principles above, because they are the only honest answer to a Pegasus-class threat. We do not claim to make any device magically immune — no serious security engineer would, and you should distrust anyone who does. What we do is systematically remove what the attacker needs at every layer we control:

• Our own protocols and encryption — there is no ubiquitous, off-the-shelf component sitting in the communications path for a pre-built exploit to target.
• A closed network — no phone number, no public account, no inbound surface; strangers simply cannot reach you to deliver anything.
• Post-quantum, triple-layer encryption — content captured now stays unreadable, even against future quantum computers.
• Onion-routed metadata — the social graph itself is protected, not just message bodies.
• No third parties, no cloud — nothing to subpoena, breach, or quietly harvest; data lives only on devices you hold.
• Plausible deniability and one-tap burn — nothing obvious to find on a seized device, and an instant wipe that limits the blast radius.
• The Helix Hardened Phone — when the device itself is part of the threat model, a GrapheneOS handset we lock down, with the app pre-installed, so the platform was never an easy target to begin with.

The goal is not a marketing promise of invincibility. It is a deliberate, defensible posture: make yourself not worth the zero-day, and worthless to the adversary if they spend one anyway. That is the most that can be honestly offered against this class of threat — and it is far more than an "encrypted app" tied to a phone number and a cloud account can give you.