What happened?
On 6 May 2025, a federal jury in California ordered the Israeli spyware company NSO Group to pay a $168 million fine for targeting around 1,400 WhatsApp users in 2019.1 The case was initiated by WhatsApp and its parent company Meta after discovering that NSO Group exploited a vulnerability in WhatsApp’s voice call feature, enabling its Pegasus spyware to be installed even if the user did not answer the call.2
The targets included journalists, human rights advocates, political dissidents, and government officials across more than 20 countries. Once installed, Pegasus could access messages, photos, location data, and potentially activate the device’s microphone and camera without user consent.3
So what?
Pegasus and similar spyware represent sophisticated threats that demand equally sophisticated countermeasures - these tools can expose private conversations, confidential data, and trade secrets.
While Pegasus was designed primarily for use by governments and law enforcement agencies for the purpose of tracking terrorists, criminals, and other legitimate targets, it has also gained notoriety due to numerous allegations of misuse, where it was deployed against journalists, human rights activists, political opponents, and other unauthorised targets.
As well as legal cases against it, the company NSO Group has faced sanctions from the US Department of Commerce, which added NSO Group to its Entity List, effectively restricting the company from operating.
Other spyware is now in use and there are allegations that some have been used improperly, so the threat persists. The targets of these kinds of surveillance tool have included journalists, human rights activists, politicians, business leaders, lawyers and government officials, meaning a wide range of individuals, and potentially employees, could be targeted.
How to counter spyware
The use of this kind of spyware is not widespread and it would be disproportionate to apply measures to counter it in all instances. However, consideration should be given to detecting and preventing its use for employees working on sensitive assignments, or those who are highly politically exposed.
Spyware is designed to be stealthy, meaning it is both difficult to detect and hard to eradicate.
Both individuals and organisations should consider implementing these detection, removal, and prevention strategies:
Detection tools and methods
- Use mobile security scanners like iVerify, iMazing, or MVT (Mobile Verification Toolkit) that can identify suspicious processes and files typically associated with Pegasus
- Monitor for telltale signs including unexpected resource usage, battery drain, and high data transfer even when the device is idle
- Look for unusual outbound connections to unfamiliar domains in network logs, particularly during periods when the device should be inactive
Post-detection response
- If indicators suggest infection, isolate the compromised device immediately by enabling airplane mode to prevent further data exfiltration
- Factory reset the device after backing up critical data, as partial removal can leave backdoors intact
- Rotate credentials for all accounts accessed from the compromised device, particularly high-value targets like email, banking, and work accounts
Advanced protection strategies
- Implement "device compartmentalisation" by using separate devices for highly sensitive communications and everyday activities
- Consider using hardened operating systems or security-focused mobile distributions when handling particularly sensitive information
- Install reliable VPN solutions that encrypt traffic and monitor for suspicious connection attempts
- Employ DNS filtering or secure DNS services that block known command and control servers used by spyware
- For high-risk individuals, regularly rotate devices or conduct periodic factory resets as a precautionary measure
Organisational defence measures
- Establish clear security incident response procedures if an employee's device is potentially compromised
- Implement mobile device management (MDM) solutions that can remotely wipe compromised devices
- Conduct regular security awareness training specifically addressing sophisticated spyware threats