How Pegasus spyware ‘found on a device connected to Number 10’ works

Downing Street computer systems are suspected to have been infected by powerful hacking spyware linked to spies in the United Arab Emirates.

It led to Boris Johnson’s mobile phone being analysed by cybercrime investigators and, although the sweep of devices failed to identify the source, has thrust the software used into the spotlight.

So just what is Pegasus, how does it work and who can be targeted?

One expert warned that it effectively means ‘every phone in every pocket is a spy’, with the terrifying spyware able to film users through their device’s camera, record conversations, listen to calls and even send messages.

Pegasus is sold by the Israeli-based NSO Group so governments can carry out surveillance by infecting phones with the military-grade software.

But ordinary members of the public may also be at risk, sometimes without so much as a click of a button.

Downing Street computer systems are suspected to have been infected by powerful hacking spyware linked to spies in the United Arab Emirates. So just what is Pegasus, how does it work and who can be targeted?

While its not entirely clear how Pegasus conducts its 'zero-click' attacks, experts believe functions including Photos, WhatsApp, iMessage and Apple Music are vulnerable and can give the program access to victims' location, videos and photos, messages, contact list and more

While its not entirely clear how Pegasus conducts its ‘zero-click’ attacks, experts believe functions including Photos, WhatsApp, iMessage and Apple Music are vulnerable and can give the program access to victims’ location, videos and photos, messages, contact list and more


It is highly unlikely that anyone other than high-profile targets or individuals of interest to NSO will have been hacked by Pegasus.

However, there are fears the now exposed vulnerability could be manipulated by less sophisticated hackers and may be used to target regular people. 

The military-grade software produced by NSO is only available to nations that have purchased the sophisticated and extremely powerful Pegasus technology. 

However, it has repeatedly been found deployed to hack journalists, lawyers, human rights defenders and dissidents. 

In the past it is believed to have been used to target a UK-based lawyer, a Saudi dissident, a citizen of Qatar and Mexican journalists and activists.

The lawyer is believed to have been engaged in a lawsuit against NSO and became suspicious when receiving random WhatsApp calls from Sweden. 

Researchers at Citizen Lab, a research group at the University of Toronto, conducted extensive forensic examinations of the handset and found no trace of embedded malware. 

However, what they uncovered was a digital footprint similar to that which is known to have belonged to NSO technology in the past.

WhatsApp engineers also identified the issue and worked extensively to fix the bug. 

The Financial Times identified the actor as Israel’s NSO Group, previously referred to as a ‘cyber arms dealer’, and WhatsApp said it was ‘not refuting any of the coverage you’ve seen’. 

The revelation added to the questions over the reach of the Israeli company’s powerful spyware. 

How is Pegasus installed on smartphones?

Since 2019, hackers have been able to install the software on smartphones with a missed call on WhatsApp, and can even delete the record of the missed call, making it impossible for the phone’s owner to know they have been targeted. 

‘Pegasus can be installed on phones via a simple text message or through exploiting vulnerabilities on devices that can even deploy without requiring the user to click anything,’ cyber security expert Jake Moore from ESET told MailOnline. 

‘Once the software is placed on a device it can copy messages, view photos, record phone calls, and even secretly view the user via the phone’s camera and both Android and Apple phones are vulnerable. 

‘This makes it extremely dangerous and powerful in surveillance attacks, leaving targeted victims in the dark.’

What can the spyware gain access to?

Pegasus can stealthily enter a smartphone and gain access to everything on it, including its camera and microphone. 

It is designed to infiltrate devices running Android, Blackberry and iOS operating systems and turn them into surveillance devices. 

NSO Group has always defended its use, saying it only sells Pegasus to governments for legitimate law enforcement and intelligence purposes, such as against criminals or terrorists.

But it has faced intense scrutiny over the claim. 

Once installed, the spyware can theoretically harvest any data from the device and transmit it back to the attacker. 

As well as stealing photos and videos, it can record a person’s location, web searches, passwords and social media posts.

The software can even activate cameras and microphones for real-time surveillance without the permission or knowledge of the user.

Who is being targeted?

It is currently unclear who or what types of people are being targeted and why, although it tends to be high-profile figures.

‘Governments often use spyware to carry out international espionage against other governments but like with any weapon art, it can also be lethal in the wrong hands,’ Moore said.

‘High profile people must be aware of the ease at which this can occur and must take precautions such as using a second device for official business and hold private meetings away from any device where possible. 

‘Other people could also potentially be targeted but it is less likely.’

He added: ‘It is therefore vital everyone always continually updates their devices at the earliest opportunity to help best protect their personal information.’

What happened in No 10?

Canadian investigative group Citizen Lab said suspected Pegasus spyware was discovered on Downing Street and Foreign Office computer systems in 2020 and 2021.

The claims are linked to an investigation by the New Yorker magazine, which looked at the targeting of individuals campaigning for Catalan independence from Spain.

Speaking to BBC Radio 4’s Today programme, the New Yorker’s investigative reporter Ronan Farrow said the belief is that data was exfiltrated from the computer network at No 10.

He added: ‘They don’t know whom the device in question belonged to but they do know that someone connected to that network through their phone was hacked.

‘UK officials that I spoke to did confirm that the network was compromised — [but] they were not able to find a specifically-hacked phone.

‘In the case of the Foreign Office hacks they did find evidence of that hacking.’

Discussing the Pegasus software, Farrow said: ‘It cracks open phones, it gives access to all of the most intimate content on that phone, your text messages, your photos, anything that can be weaponised against you, or be of interest to someone looking to surveil you.

Powerful spyware known as Pegasus was used to infect a device connected to the network at 10 Downing Street, it has been claimed

Powerful spyware known as Pegasus was used to infect a device connected to the network at 10 Downing Street, it has been claimed

‘Or, in the most sophisticated cases of this technology, it turns on your microphone, it turns on your camera — it provides real time surveillance.

‘So essentially this means every phone in every pocket is a spy, and as we’re seeing with those uses, that can be something that is used by authoritarians seeking to crack down on dissent.’

Who else has fallen victim to Pegasus hacks? 

It is not just the British government that has been targeted, however.

In September last year, traces of Pegasus spyware were found on the mobile phones of at least five current French cabinet ministers, according to the investigative website Mediapart.

The revelation came two months after it was claimed that rights activists, journalists and lawyers around the world had been targeted with the phone malware sold to authoritarian governments by NSO Group.

They were on a list of some 50,000 phone numbers of people, although it was not clear where the this came from or how many phones had actually been hacked.

Politicians and heads of state, business executives, activists, and several Arab royal family members were all on the list, along with more than 180 journalists from organisations including CNN, the New York Times and Al Jazeera. 

Boris Johnson's mobile phone was analysed by cybercrime investigators following the breach

Boris Johnson’s mobile phone was analysed by cybercrime investigators following the breach

NSO denied any wrongdoing at the time.

Despite the company insisting that it only sells the software to selected governments, there are fears it could be manipulated by less sophisticated hackers and used to target regular people. 

It has already been found deployed to hack journalists, lawyers and human rights defenders, among others.

Jakub Vavra, a mobile threat analyst at software security company Avast, said: ‘Since 2016, we have tracked and blocked several attempts by Pegasus spyware to breach Android phones, most of them in 2019. 

‘Evidently it is used as a highly targeted tool, as unlike spyware which often is spread widely to harvest masses of user data, Pegasus is used only on a few individuals, apparently, for surveillance purposes. 

‘The minimal spread of the spyware doesn’t make it less dangerous, for each individual being under surveillance the scope of privacy damage is certainly very high.’

What can you do to protect your smartphone?

Beware of spam text messages and don’t click any links from an unknown source.

Cyber security expert Jake Moore said it was ‘vital’ that everyone also ‘continually updates their devices at the earliest opportunity, to help best protect their personal information.’

It is also good practice to enlist two-factor authentication on your devices, because when an identity-specific action is required on top of entering your password and username, it becomes significantly harder for fraudsters to access your information. 

Two-factor authentication provides a way of ‘double checking’ that you really are the person you are claiming to be when you’re using online services, such as banking, email or social media.

The option to switch on two-factor authentication is usually found in the settings of your device, where it may also be called 2-step verification (2SV). 

Last September Apple released an emergency software patch to fix a security vulnerability that researchers said could allow Pegasus hackers to directly infect iPhones and other Apple devices without any user action.

The flaw was identified by spyware researchers at Citizen Lab and reportedly affected all of Apple’s operating systems.

It was the first time a so-called ‘zero-click’ exploit had been caught and analysed, said the researchers, who found the malicious code on September 7, 2021 and immediately alerted Apple. 


Pegasus spyware gives hackers a terrifying level of access to a mobile phone without the victim having the faintest idea it has been hacked.

A malicious user can extract data including passwords, contacts, browsing history and social media posts, tell where the phone is, where it has been and whether it is on the move.

The hacker can also see incoming or outgoing calls and, perhaps most chillingly, access the device’s camera and microphone to take pictures or listen in on conversations remotely.

The creators of Pegasus – Israeli cyber intelligence company NSO Group Technologies – have long boasted that the spyware worked like a ‘ghost’, tracking the movements of targets without leaving a trace.

To avoid being spotted through racking up data charges on phone networks, the software transmits files only when the device is using Wifi.

When unable to do this, it collects and stores data in an encrypted software programme – but is designed to never use more than 5 per cent of space on an infected phone.

It can be installed on some Apple and Android devices and is believed to have exploited three security weaknesses in iPhones. One method involves sending a text message that provides a link to a website. If clicked on, malicious software is delivered to the phone.

NSO Group has claimed it keeps strict control over how its powerful software is used. Its staff can shut it down at any time or look at the information being collected.

But insiders told Israeli newspaper Haaretz that oversight was ‘non-existent’. The newspaper also said that if an infected phone entered Israel, Iran, Russia, China or the US, Pegasus wiped its software from the device.