Tax Insights & Fraud Awareness

The Spy in Your Pocket

by · December 11, 2025

What Everyone Should Know About the ‘Most Powerful Phone Hacking Tool Ever Created’—and Why the Rumors You’ve Heard ‘Are Only Half Right’

Have you heard the latest rumor? “Don’t answer calls from unknown numbers—hackers can steal all your data just by picking up the call!”

A version of this rumor has been circulating in communities worldwide, from Israel to the United States. Like many rumors, it contains a kernel of terrifying truth wrapped in exaggeration.

The truth is this: surveillance technology does exist that is so sophisticated it can compromise your smartphone with virtually no action required on your part. However, the rumor gets important details wrong—and understanding those details is the difference between informed caution and unnecessary panic.

Pegasus is spyware developed by NSO Group, an Israeli cyber-intelligence company founded in 2010. The company sells its technology exclusively to government agencies, marketing it as a tool to fight terrorism and serious crime. A single license reportedly costs millions of dollars.

What sets Pegasus apart from ordinary malware is its use of “zero-click” attacks. Traditional hacking requires you to take some action—click a malicious link, download a compromised attachment, or visit a dangerous website. Pegasus, however, can infect your phone through specially crafted messages delivered via iMessage, WhatsApp, or other apps. These messages exploit unknown vulnerabilities in your phone’s operating system. You don’t need to open them. You don’t need to read them. Simply receiving one can be enough.

Once installed, Pegasus grants its operators virtually complete control over your device. They can read encrypted messages from Signal, WhatsApp, and other “secure” apps by intercepting them before encryption is applied. They can access your emails, photos, contacts, and location history. They can remotely activate your microphone and camera. And the spyware is engineered to conceal its presence, even erasing itself if it suspects discovery.

“Use of surveillance software has been linked to arrest, intimidation, and even killings of journalists and human rights defenders.” — Former UN Human Rights Chief

In 2021, a consortium of journalists known as the Pegasus Project revealed a leaked list of more than 50,000 phone numbers selected as potential surveillance targets. These weren’t terrorists or drug lords. They were journalists investigating government corruption. Human rights lawyers defending dissidents. Opposition politicians. Activists. Even heads of state.

Perhaps the most chilling case involves Jamal Khashoggi, the Saudi journalist and Washington Post columnist murdered inside the Saudi consulate in Istanbul in 2018. Investigations revealed that Pegasus had been used to monitor his inner circle, including his wife. Many believe the intercepted communications influenced the decision to assassinate him.

As recently as February 2025, two investigative journalists in Serbia were targeted with Pegasus—part of what Amnesty International has documented as an ongoing pattern of surveillance against civil society in that country. These attacks persist despite international exposure and legal consequences for NSO Group.

Here’s where fact must be separated from fear: if you’re reading this article, you are almost certainly not a target of Pegasus.

Pegasus licenses cost millions of dollars. The zero-click exploits it employs are among the most valuable commodities in the cybersecurity world—they are “burned” (rendered useless) once discovered and patched. No one is wasting these precision weapons on ordinary citizens. This is surveillance technology designed for governments targeting specific high-value individuals: journalists exposing corruption, activists challenging regimes, and political opponents.

The rumor that simply answering a robocall can compromise your phone? That’s not how any of this works. Ordinary scam callers don’t have access to military-grade spyware. They need you to take action—provide information, install an app, click a link, or grant remote access. The call itself isn’t the attack.

Still, your instinct to be concerned isn’t misplaced: technology that is expensive and exclusive today often becomes cheap and widespread tomorrow.

Pegasus is no longer the only player. Companies such as Candiru, Intellexa, Cytrox, and Paragon Solutions all produce similar “mercenary spyware.” The knowledge and techniques are spreading. Even if NSO Group were shut down tomorrow—and they have already faced sanctions, lawsuits, and a $167 million judgment against them in 2025—the genie is out of the bottle.

We’ve already seen the rise of consumer-grade “stalkerware”—apps like FlexiSpy and mSpy, available for a few hundred dollars. These require physical access to install and aren’t as sophisticated as Pegasus, but they can still monitor messages, calls, locations, and cameras. They are frequently used by domestic abusers and stalkers.

The trajectory is clear: what began as nation-state capability became available to wealthy governments, then to smaller governments, and increasingly to private actors. How long before zero-click exploits appear on the dark web, accessible to anyone with enough cryptocurrency?

Against sophisticated zero-click attacks, individual defenses are limited. If a nation-state wants to compromise your specific phone and has the resources, they probably can. But that doesn’t mean you’re helpless.

For Everyone

  • Keep your devices updated. Every software update patches known vulnerabilities. This won’t protect against unknown exploits, but it closes doors attackers have used before.
  • Restart your phone regularly. Some advanced malware doesn’t survive a reboot. Security researchers recommend restarting your phone daily.
  • Focus on the threats that actually target you. While Pegasus makes headlines, ordinary scammers are trying to trick you with phishing emails, fake tech support calls, and romance scams. These mundane threats are far more likely to affect you than military-grade spyware.

For Higher-Risk Individuals

If you are a journalist, activist, attorney handling sensitive cases, or anyone else who might be a target of government surveillance:

  • Enable Lockdown Mode on iPhones. This Apple feature significantly reduces your attack surface by disabling certain exploitable functionalities.
  • Use Amnesty International’s Mobile Verification Toolkit (MVT). This free tool can check your device for signs of Pegasus or similar spyware.
  • Consider a secondary “burner” phone for sensitive communications. Keep it separate from your main device and replace it periodically.
  • Seek professional security assessments. Organizations like Access Now provide digital security support for civil society at risk.

The existence of Pegasus and tools like it represents more than a cybersecurity threat. It is a fundamental challenge to the idea that private communication is a right in the digital age.

The solutions aren’t primarily technical—they are legal and political. We need international regulation of the spyware industry. We need to hold vendors legally accountable for how their tools are used. We need device manufacturers to prioritize security architecture over convenience. And we need governments to establish clear rules about when and how surveillance technology can be deployed.

In May 2025, Meta won a landmark $167 million judgment against NSO Group—the first time a court held a spyware company directly liable for hacking. It’s a start, but the spyware industry continues to operate, and the technology continues to spread.

So the next time someone warns you not to answer unknown calls because hackers will instantly steal your data, you can tell them the truth is both more reassuring and more troubling than that.

  • More reassuring: answering a robocall won’t compromise your phone. Spyware capable of zero-click infection is reserved for high-value government targets, not ordinary citizens.
  • More troubling: the technology exists. It has been used against journalists and activists. It is spreading to more actors. And the defenses available to individuals are limited.

The spy in your pocket isn’t coming for you today. But the world it represents—where private communication can be revoked at will by those with enough money and power—is already here. What we do about it is up to all of us.

Resources

  • Amnesty International Security Lab: securitylab.amnesty.org — Reports on spyware attacks and the Mobile Verification Toolkit
  • Citizen Lab (University of Toronto): citizenlab.ca — Leading research on digital threats to civil society
  • Access Now Digital Security Helpline: accessnow.org — Free support for activists, journalists, and human rights defenders
  • Apple Lockdown Mode: Available in Settings > Privacy & Security on iPhone, iPad, and Mac

This article is part of Justice for Fraud Victims, Inc.’s Fraud Awareness Series. JFV is a 501(c)(3) charitable organization assisting fraud victims and providing educational materials for fraud prevention. For more information, contact JFV at College Park, Maryland

Tags:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *