Q&A: A guide to ‘spyware’

How Pegasus works, who is most vulnerable and why it’s hard to protect yourself from hacks

An investigation by a consortium of media organizations found Israeli firm NSO Group's Pegasus spyware was used to hack smartphones of journalists and others. (Video: Jon Gerberg/The Washington Post)

The Pegasus Project, an investigation by The Washington Post and 16 other news organizations in 10 countries, was coordinated by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International. Those two groups had access to a list of more than 50,000 phone numbers that included surveillance targets for clients of the Israeli spyware company NSO Group, which they shared with the journalists. Over the past several months, the journalists reviewed and analyzed the list in an effort to learn the identities of the owners of the phone numbers and to determine whether their phones had been implanted with NSO’s Pegasus spyware.

The investigation was able to link more than 1,000 government officials, journalists, businesspeople and human rights activists to numbers and to obtain data for 67 phones whose numbers appeared on the list. That data was then analyzed forensically by Amnesty International’s Security Lab. Thirty-seven of those showed evidence of an attempted Pegasus intrusion or a successful hack.

Further analysis indicated that many of those intrusions or attempted intrusions came shortly after the phone number had been entered onto the list — some within seconds — suggesting a link between the list and subsequent surveillance efforts.

How vulnerable are you to such spyware? Are there steps you can take to keep your phone safe? Here are some answers: