no idea if this is still the case for the latest version of pegasus. but in 2019, it was observed that the malware tries to hide its tracks by cleaning DataUsage.sqlite, a database file that stores records of tx/rx on mobile data. but it left an observable inconsistency in doing so, wiping only one of the two pertinent tables. source[0]
They released this on github. I would love for them to put out a simple tool that allows you to lookup if your number is on the leaked list, they can copy that has my password been pwned technique to make it safe
[0] https://twitter.com/billmarczak/status/1416801514685796352