Does Norton protect against Pegasus spyware?

Norton Security | Norton Internet Security
1

Pegasus spyware is getting more publicity since Rachel Maddow recently linked phone invading spyware like Pegasus to the current administration’s actions that seem consistent with creating autocracy here. Without debating politics, I’d like to know if my Norton malware protection targets Pegasus. Norton posted a discussion of Pegasus which seems to answer lots of questions except the one I want answered. Maybe antivirus companies can’t target Pegasus because of death threats from shady characters. I would like a straight answer.

P.s. We’re not allowed to post URLs here, but if you search for
does norton protect against pegasus
I think their article updated June 13, 2025 by Jeremy Coppock will show up.

2

What is Pegasus spyware, and how to detect and remove it - Jeremy Coppock - June 13, 2025

AI Mode
While Norton 360 can help defend against common spyware, it is not designed to protect against advanced, state-sponsored malware like Pegasus. Norton and other traditional antivirus products are generally not effective against Pegasus, which uses highly sophisticated “zero-click” exploits to silently infect a device.

Why Norton 360 is ineffective against Pegasus

  • Zero-click infections: Pegasus does not require any action from the user, such as clicking a malicious link. Instead, it exploits previously unknown vulnerabilities (zero-days) in operating systems and apps, which security companies like Norton are unaware of and cannot patch.
  • Stealthy design: The spyware is specifically engineered to avoid detection by standard security software. It can hide its presence, remove traces of infection, and prevent antivirus tools from scanning and discovering it.
  • Targeted and limited use: Pegasus is a costly, government-grade surveillance tool. It is not a mass-market threat and is used to target a small number of high-profile individuals, such as journalists, activists, and dissidents.

How to detect and remove Pegasus

Because of its sophisticated design, detecting Pegasus requires specialized forensic analysis tools, not a typical antivirus scan.

  • Mobile Verification Toolkit (MVT): Developed by Amnesty International, this open-source tool is the primary method for finding traces of a Pegasus infection. It is a command-line tool that requires technical expertise and works on both Android and iOS devices.
  • iMazing: This desktop software offers a simpler, graphical user interface for running the MVT, making it more accessible to non-experts. The tool is free and works by analyzing an iTunes backup of your iPhone or iPad.
  • Professional assistance: For high-profile individuals at risk, consulting a cybersecurity expert is the most reliable option for detecting and handling a potential Pegasus infection.

What to do if you suspect infection

If a scan indicates your device is compromised, here are the steps recommended by security experts:

  • Buy a new device: The safest and most secure option is to stop using the infected device and purchase a new one.
  • Perform a factory reset: A factory reset can wipe the spyware, but you should not restore from a backup, as the spyware may be reinstalled along with your data.
  • Change all passwords: After moving to a new, clean device, you should change all your account passwords to prevent the attacker from maintaining access.

How Norton can still help

While useless against Pegasus, Norton 360 still provides essential protection against more common threats that the average user faces daily.

  • General spyware: Norton 360 offers real-time protection against the common spyware, malware, and ransomware threats that are far more likely to target a typical internet user.
  • Secure VPN: The included VPN can encrypt your online activity to help keep your internet communications private from hackers and other snoops.
  • Dark web monitoring: The service can alert you if your personal information is found on the dark web, helping to mitigate other types of online risks.

---------------------------------------

AI Mode
Norton 360, like other standard antivirus and security software, does not protect against Pegasus. Pegasus is a highly sophisticated spyware that exploits previously unknown vulnerabilities, known as “zero-click” and “zero-day” exploits, to secretly infect a device without any user action. Traditional security software is not designed to stop or detect these advanced, government-grade surveillance tools.

Why Norton is ineffective against Pegasus

  • Zero-click infection: Pegasus can infect a phone without the user needing to click on a malicious link, making it undetectable by security software that primarily looks for user-initiated threats.
  • Zero-day exploits: It exploits vulnerabilities that have never been seen before, so no security software, including Norton, has had the chance to develop a patch or signature to identify the threat.
  • Targeted and covert: Pegasus is not a mass-market threat but a high-cost, specialized surveillance tool used to target a small number of high-profile individuals, such as journalists, activists, and dissidents. It is designed to be extremely difficult to detect and remove.

The purpose of Norton 360

While Norton is not a defense against Pegasus, it is still an essential tool for protecting against common cyber threats that the average person is more likely to encounter.

  • Common spyware and malware: Norton 360 offers robust, real-time protection against more common forms of malware and spyware.
  • Phishing and scams: It helps protect against phishing attacks and malicious websites that attempt to trick you into revealing personal information.
  • Security vulnerabilities: It helps guard against threats that exploit known software vulnerabilities by monitoring for suspicious behavior.

How to detect Pegasus

Detecting Pegasus requires specialized, forensic-level tools, not a standard antivirus scan.

  • Mobile Verification Toolkit (MVT): Developed by Amnesty International, this open-source tool is the primary method for analyzing a device for traces of a Pegasus infection. It is a command-line tool that requires technical skill.
  • Specialized assistance: If you are a high-profile individual who believes you may be targeted, consulting a cybersecurity expert is the most reliable way to detect and handle a potential Pegasus infection.

---------------------------------------

AI Mode
The mobile phones most vulnerable to Pegasus are those belonging to high-profile individuals targeted by state-sponsored actors, including journalists, activists, and dissidents. However, Pegasus can and has been used to exploit vulnerabilities in both iOS and Android devices, regardless of which is generally perceived as more secure.

The main vulnerabilities exploited by Pegasus are not found in any one device type, but rather in unpatched software bugs and flaws in popular messaging apps.

Vulnerabilities in iOS devices

  • Targeting iMessage and other Apple apps: Pegasus has repeatedly exploited vulnerabilities within Apple’s own apps and services, most notoriously through iMessage. Zero-click exploits sent via an invisible or specially crafted iMessage have been a primary infection vector, with no action needed from the user.
  • Centralized updates: As security expert Edward Snowden pointed out, if hackers find a way to break into one iPhone model running a specific iOS version, they can potentially use the same exploit to target all similar devices worldwide.
  • Past exploit examples: A well-known exploit called FORCEDENTRY used a vulnerability in how iPhones render images from iMessage to deploy Pegasus. Apple has since released patches, but new exploits are always a risk.

Vulnerabilities in Android devices

  • Fragmented updates: The Android ecosystem is more fragmented, with updates often dependent on a user’s phone manufacturer and carrier. Devices not running the latest security patches are more exposed, creating more opportunities for Pegasus to exploit known but unpatched vulnerabilities.
  • Open architecture: While the openness of Android can be a security advantage, it also allows Pegasus to use different, albeit similar, infection methods compared to its iOS counterpart.
  • Google’s Chrysaor discovery: In 2017, Google identified Android malware named “Chrysaor” that was believed to be related to Pegasus. It was designed to gain root access to an infected device.

Common infection methods

Beyond vulnerabilities unique to each operating system, Pegasus can infect devices using other methods that can affect both iOS and Android:

  • Zero-click attacks: This is the most dangerous and notorious method, where the spyware is installed on a device without any user action.
  • One-click attacks: Early versions of Pegasus relied on phishing, where a target would receive a message with a malicious link that would install the spyware if clicked.
  • Network injection: In some cases, Pegasus can be installed by intercepting the target’s web traffic on an insecure connection and redirecting them to a spyware installation page.
  • Physical access: In a less common but still possible scenario, Pegasus can be installed by physically accessing a device, for example, by briefly plugging it into a computer.

What this means for users

While both iOS and Android devices are vulnerable to Pegasus, the average person is highly unlikely to be targeted. The spyware is a very expensive, high-stakes surveillance tool used by governments against specific targets of interest. However, the discovery of Pegasus exploits highlights the need for vigilance and basic cybersecurity hygiene on all mobile devices:

  • Keep your phone updated: Regularly install operating system and app updates, as they often contain patches for vulnerabilities that Pegasus or other spyware could exploit.
  • Be cautious with links: While zero-click attacks are a concern, standard phishing attacks still exist. Avoid clicking on suspicious links or attachments from unknown senders.
  • Enable Lockdown Mode (on iPhone): This is a feature on iOS 16 and later that provides an extreme, high-security setting to help protect against rare and highly sophisticated attacks.
  • Restart your phone regularly: In some cases, rebooting a phone can help thwart specific zero-click attacks that don’t survive a reboot.

-----------------------------------

AI Mode
Pegasus spyware has notoriously targeted popular communication applications like iMessage, WhatsApp, and FaceTime, using “zero-click” exploits. The vulnerability of these apps lies in how they handle incoming data, which Pegasus exploits to deliver its malicious code without any user interaction. While targeting these specific apps, Pegasus can then proceed to steal data from numerous other applications once it has infected the device’s operating system.

Communication apps

  • iMessage: Pegasus has repeatedly exploited vulnerabilities within Apple’s iMessage to infect iPhones. The notorious FORCEDENTRY exploit, discovered in 2021, used a vulnerability in how iMessage processes images to deliver Pegasus. Apple has since patched these flaws.
  • WhatsApp: In 2019, it was discovered that Pegasus was exploiting a vulnerability in WhatsApp that allowed attackers to install the spyware by simply placing a WhatsApp call to a target’s phone, even if the call was not answered. Meta (WhatsApp’s owner) has since patched this vulnerability and sued the NSO Group.
  • FaceTime: Pegasus has also exploited vulnerabilities in Apple’s FaceTime to conduct zero-click attacks on iOS devices.
  • Encrypted messaging apps (like Signal and Telegram): While these apps encrypt messages in transit, Pegasus can bypass this protection. It does not break the encryption itself, but rather harvests messages once they are decrypted on the device, or intercepts them before they are encrypted.
  • Viber: In 2025, journalists with the Balkan Investigative Reporting Network (BIRN) were targeted with a Pegasus attack delivered via a phishing link sent to them on the Viber messaging app.
  • SMS: The first known Pegasus exploit on an iPhone in 2016 relied on a spear-phishing attack via text message.

Other targeted apps

Once Pegasus successfully compromises the device’s core operating system, it gains the ability to access and steal data from virtually any app or service on the phone, including:

  • Emails: It can harvest messages from email apps like Gmail.
  • Web browsers: Exploits have been found in the Safari web browser on iOS and Google Chrome on Android.
  • Apple Wallet: In 2023, the BLASTPASS exploit chain used a vulnerability in how Apple Wallet objects are sent via iMessage to deploy Pegasus.
  • Social media apps: It can access data from apps like Facebook and Twitter.
  • Other apps and data: Pegasus can access contacts, browsing history, stored passwords, calendars, and other data. It can also remotely activate the device’s camera and microphone to secretly record audio and video.

-------------------------------------

AI Mode
As a highly sophisticated and stealthy tool, Pegasus is designed to be extremely difficult to detect without specialized forensic analysis. While it doesn’t typically show obvious symptoms, the extensive surveillance activity it conducts can sometimes cause noticeable—but not definitive—issues. Any of the following signs, particularly if they appear in combination, may indicate a phone is compromised.

Device performance issues

The Pegasus spyware runs silently in the background, consuming system resources, which can cause:

  • Unusual battery drain: Your phone’s battery may drain much faster than usual, even when the device is idle.
  • Overheating: The device may feel warm to the touch or overheat unexpectedly during times of inactivity.
  • Sluggish performance: Apps may load slowly, freeze, or crash more frequently than normal.
  • Unexplained reboots: The phone may restart unexpectedly.

Network and data usage anomalies

  • Increased data usage: Spyware requires a large amount of mobile data to upload stolen information, such as photos, videos, and real-time conversations, to the attacker’s servers. You may notice a significant and unexplained increase in your data consumption.
  • Suspicious messages or calls: If you receive strange text messages, emails, or app alerts that include an odd link, it could be a sign that a one-click attack was attempted. Early versions of Pegasus relied on this method. In 2019, a vulnerability in WhatsApp also enabled infections via missed voice calls.

Forensic evidence

The most reliable way to detect Pegasus requires a deep-level forensic examination of your phone’s system logs and files.

  • Mobile Verification Toolkit (MVT): Developed by Amnesty International, this open-source tool is the primary method used by forensic experts to identify indicators of compromise left by Pegasus.
  • Specific log file analysis: As revealed by Kaspersky, analyzing the shutdown.log file on iOS devices can reveal records of reboot events that contain forensic evidence of a Pegasus infection.
  • Evidence of rooting or jailbreaking: Since Pegasus often roots (Android) or jailbreaks (iOS) a device to gain high-level privileges, detecting signs of this unauthorized activity can be an indicator of infection.

Who is most likely to be targeted?

Most people do not need to worry about being targeted by Pegasus. The spyware is a very expensive tool used by state-sponsored actors against a very limited, specific set of targets. The most common victims include:

  • Journalists and human rights activists
  • Political dissidents and opposition leaders
  • Lawyers
  • High-profile business executives

For average users who are concerned about general spyware and malware, standard cybersecurity practices are the most effective defense.

-------------------------------------

AI Mode
A factory reset is generally effective at removing most common spyware and malware from a device. However, when dealing with highly sophisticated, state-sponsored spyware like Pegasus, a factory reset might not be enough. Some of the most potent malware can embed itself so deeply into the operating system or firmware that it can survive a standard factory reset.

Why a factory reset may not work against Pegasus

  • Deep system infection: Pegasus is designed to be persistent. It often establishes itself at a level of the operating system or firmware that is not wiped by a standard factory reset. This deep-rooted infection can allow the spyware to reinstall itself even after a reset is completed.
  • Malware in recovery partitions: In rare cases, malware can infect the recovery partition of a device’s storage. If this occurs, the malicious software will simply be re-implanted onto the device when the operating system is reinstalled during the reset process.
  • Infected backups: If you perform a factory reset and then restore your device from an infected backup, you will simply reintroduce the malware you were trying to eliminate. This is one of the most common reasons a factory reset fails to remove persistent threats.

For common spyware, a factory reset is often effective

For the vast majority of consumer spyware and other malware, a factory reset is a powerful and reliable solution.

  • The process erases all user data, including apps, files, and settings, effectively returning the device to its original, out-of-the-box state.
  • Any malicious app or process that is installed at the user level will be removed during this process.

The safest removal method for Pegasus

If you are a high-risk target and suspect your phone is infected with Pegasus, the safest and most recommended action is more drastic than a factory reset.

  • Get a new device: The most secure course of action is to stop using the potentially compromised phone and purchase a new one.
  • Manually install apps on the new device: On the new device, avoid restoring from a backup. Instead, manually install all your applications to ensure you do not transfer the spyware with a corrupted file.
  • Change your passwords: After moving to the new device, change all your passwords using a clean computer to prevent attackers from maintaining access to your accounts.

--------------------------------------

AI Mode
You can check for Pegasus using a specialized forensic tool called the Mobile Verification Toolkit (MVT), created by Amnesty International. This process is highly technical, but simpler tools have been developed to make it more accessible for iPhone users. Note that due to its stealth, Pegasus is extremely difficult to detect, and these methods are the most reliable options available outside of hiring a cybersecurity expert.

For iPhone users

A more user-friendly option for checking an iPhone for Pegasus is through the desktop application iMazing, which integrates Amnesty International’s MVT.

  1. Download iMazing: Download and install iMazing on your Mac or PC from its official website. The Pegasus detection tool is available in the free version.
  2. Connect your iPhone: Connect your iPhone or iPad to your computer via a USB cable. You may need to enter your passcode on your phone to trust the connection.
  3. Start the scan: In the iMazing app, click on the “Detect Spyware” option. The process requires creating and analyzing a device backup, and iMazing will walk you through the steps.
  4. Review the report: After the analysis is complete, iMazing will generate a report. Look for “Possible infection detected” and review the details for specific indicators of Pegasus.

For Android users

The process for Android is more complex and less automated. It requires using the original command-line version of the Mobile Verification Toolkit (MVT) on a separate Linux or macOS computer.

  1. Install MVT and ADB: On your computer, install the MVT tool and the Android Debug Bridge (ADB), which allows the computer to communicate with your phone. You will need some technical expertise for this step.
  2. Enable USB debugging: On your Android phone, enable “Developer Options” and then turn on “USB Debugging” in your settings.
  3. Connect and run the scan: Connect your Android device to your computer via a USB cable. Use the command line to run the MVT tool, which will analyze the device’s data for indicators of a Pegasus infection.

Who should be concerned?

The Pegasus spyware is not a threat to the average person. Its exorbitant cost and targeted nature mean it is reserved for a very small number of high-profile individuals.

  • Average User: If you believe your phone is behaving oddly, it is far more likely to be due to less sophisticated malware, a failing battery, or another performance issue. Regular security practices and good antivirus software are the best defense against these common threats.
  • High-Risk Target: If you are a journalist, human rights activist, political dissident, or other high-risk individual, and you notice signs of a potential infection, using MVT or iMazing is a prudent step. Consulting a professional cybersecurity expert is also highly recommended.
3

Nicely done. :slight_smile:

4

:jack_o_lantern: :jack_o_lantern: :jack_o_lantern: