Pegasus is commercial spyware made by the NSO Group and sold to government clients. Once it is on a phone it can read messages, listen to calls, turn on the microphone and camera, and pull location — including content inside end-to-end encrypted apps, because it reads the device after the message is decrypted. The Pegasus Project, a collaboration of newsrooms coordinated by Forbidden Stories with technical analysis from Amnesty International’s Security Lab, documented its use against journalists, lawyers, and activists.
What “zero-click” means
Most phone malware needs you to do something — tap a link, open an attachment, install an app. A zero-clickexploit needs none of that. It abuses a flaw in how your phone silently processes an incoming message, image, or call, so the device is compromised before anything appears on your screen. There is nothing obvious to avoid clicking, which is exactly why ordinary “be careful what you open” advice is not enough against a targeted operator.
How likely is this for you?
Mercenary spyware is expensive and targeted. It is aimed at specific high-risk people — reporters on national-security, corruption, or human-rights beats, their sources, and their editors — not sprayed at the general public. If you cover those beats, the right response is a calm threat model, not panic. If you do not, the realistic risks to your reporting are far more ordinary (phishing, account takeover, a lost device). See how to threat-model your reporting to size the risk honestly.
The honest limits of any check
This matters more than anything else on this page: a clean result never means “your device is safe” — only “no known indicators of compromise were found.” Detection relies on published indicators for spyware that has already been studied. A new exploit chain, or one that cleans up after itself, can leave nothing for a check to find. Absence of evidence is not evidence of safety.
And if you suspect your phone is infected, do not factory-reset it or rip out a suspicious app first. Wiping the device destroys the very forensic traces that could confirm what happened, and acting on the device can tip off whoever is watching. Preserve first: stop using it for sensitive work, keep it powered and in the state it is in if you can, and get a methodical check. The companion guide, how a journalist checks a phone for spyware, walks through the safe order of operations.
If you need lab-grade confirmation
Self-checks are a screening step, not a verdict. When the stakes are high — a story, a source, or your own safety — a credentialed examiner can image the device without altering it, correlate against known indicators, and produce a court-ready record of what was and was not found. SleuthX offers that confirmation step; see newsroom device-compromise response. Free help from the named research labs below should usually be your first call.
