Pegasus is a class of commercial spyware designed for targeted surveillance. The risk profile is different from everyday malware: it is typically used against specific people whose access, devices, or relationships are valuable.
For businesses, the practical problem is not just device compromise. It is credential exposure, meeting surveillance, and account recovery abuse that follows from a phone being quietly monitored.
Start here: risk triage
- If you are in a high-risk role (executive, security, legal, journalism, politics, activism) assume you are more likely to be targeted than a random employee.
- Move critical accounts to stronger authentication that does not rely on SMS (authenticator apps, passkeys, or hardware keys). See two-factor authentication (2FA) for the basic models.
- Keep iOS and Android fully updated. Many high-end spyware campaigns rely on vulnerabilities that are patched after discovery.
- Use managed devices and enforce baseline controls through mobile device management (MDM) if you have even a small IT footprint.
- On iPhone, consider Lockdown Mode for staff who have elevated targeting risk. It reduces attack surface by limiting some features and attachment types.
Key idea: You do not need to prove "Pegasus" to reduce risk. A phone that might be under targeted surveillance should be treated as an untrusted endpoint until you have a clean device and clean accounts.
What Pegasus is and what it is not
Pegasus is commonly described as mercenary spyware: software sold by a commercial vendor and deployed by clients for surveillance. Its goal is persistent access to data on a phone: messages, call history, microphone, camera, and location, depending on the campaign and the device.
It is not the same as mass-scale adware or commodity banking malware. Most small businesses will never be directly targeted. The spillover happens when a high-value person uses the same device for work, or when a targeted phone is used to approve logins and password resets for business systems.
How targeted mobile compromise happens
Campaigns vary. Some rely on malicious links and social engineering, and others rely on vulnerabilities in device components or messaging stacks. The common thread is that phone compromise is often quiet: you may not see a pop-up, and you may not notice battery or performance changes.
That uncertainty is why the operational response should focus on control planes: identity, recovery channels, and device management. Those are the levers that change outcomes even when you cannot prove an implant.
What to do if you suspect targeted spyware
- Assume the phone is not trustworthy for security decisions. Do not approve logins or reset passwords from it.
- From a separate, trusted device, change the password for your primary email account first, then your password manager, then business single sign-on accounts.
- Rotate recovery channels: remove unknown recovery emails/phone numbers, and prefer app-based or hardware-based MFA over SMS.
- Preserve evidence before you wipe anything if legal risk exists. Take photos of warnings, suspicious messages, and device settings that look wrong.
- If you need to triage quickly, start with the safer, consumer-level steps in how to check if your phone is hacked, then escalate.
For deeper investigation, Amnesty International maintains the Mobile Verification Toolkit (MVT) used in many public investigations. It is not a consumer product and it has limitations, but it is a realistic starting point for technical teams: MVT documentation.
Business controls that reduce impact
Mobile spyware is hard to prevent perfectly. The goal is to make a phone compromise less valuable and less able to spread into accounts and systems.
| Control | What it prevents or limits | Owner |
|---|---|---|
| MDM enrollment + baseline policies | Unauthorized profiles, risky configuration changes, weak screen locks | IT / security |
| Rapid OS patching | Known vulnerabilities used in targeted campaigns | IT + employee |
| Account security away from SMS | Number takeover enabling password resets and session hijacks | Security |
| Separate devices for high-risk roles | Cross-contamination between personal targeting and business identity | Leadership + IT |
| Session visibility and log review | Silent account takeovers that follow from compromised approvals | Security |
Policy and legal reality (what you can rely on)
NSO Group has been the subject of government actions and civil litigation. Those developments matter for awareness, but they do not change the day-to-day response: treat the device as compromised, secure the identities tied to it, and move to managed, hardened endpoints for the people most likely to be targeted.
When a phone has access to sensitive communications, the defensive strategy is to reduce what a single device can authorize and to make recovery paths harder to abuse. That is how you keep a targeted mobile compromise from turning into a business compromise.