Indications of compromise have not been published for the Pegasus malware, though press reports can be inferred to indicate that current apps and current software were not breached; this based on those reportedly targeted but not breached. The press reports of the Pegasus malware also indicated that infections were not persistent, but were re-introduced (as no-click exploits) as needed.
Patch to current, maintain current devices, restart.
Some information on how iPhone and iPad has been targeted have been published, and I’d expect Apple will be hardening those areas. Apple’s recently deployed “blast door” is relevant here, and I expect additional efforts will be made by Apple.
If you are a target of those with the budget for Pegasus or what other products we don’t yet know about, you will want to get explicit help with your security. This can include a number of techniques to reduce the value of your devices to those employing Pegasus, and to isolate sensitive information. The vast majority reading of those here are not targets. Criminals, political dissidents, investigative journalists, those with access to sensitive data or with access to substantial finances, are targets. As are their closest associates.
There will be increased advertising efforts toward for add-on apps that are seemingly little better than data collection packages, and for other add-on apps that cannot scan your devices for compromises, and the on-going efforts to phish our credentials and other information from us will continue apace, of course.
There was and is and will be no perfect security, and those with the budgets will continue to seek to compromise our devices, whether iPhone, iPad, macOS, Windows, Linux, or otherwise. We are already on an update treadmill with security and with security-related protocols including SSL/TLS connection security, and that treadmill will only continue.
Persistence past a reload has not been reported, and is rarely reported in other cases. Unfortunately, the no-click infections render reloading less than useful.
In short, there’s little any of us can do technically (for now), pending further information on Pegasus and/or fixes from Apple, beyond those of us that are targets partitioning our data and our activities and our device-equipped travels. This past robust and unique passwords, two-factor authentication, SSL/TLS/HTTPS everywhere, data hygiene, keeping current both with hardware and software, keeping sketchy apps off our devices, and with what Apple has previously published:
https://manuals.info.apple.com/MANUALS/1000/MA1976/en_US/device-and-data-access-when-personal-safety-is-at-risk.pdf
Same recommendations as before Pegasus became the centerpiece.
There will be much more happening here over the next weeks and months too, from Apple and elsewhere, as well as more information arising from press sources. And there will be the inevitable barrage of advertising around “security” apps, various of which are seemingly centrally data-harvesting or self-propagating advertising efforts.
I’ll likely publish a user tip with this and other info, as more info becomes available.