Is there anything that prevents Pegasus from spreading by itself or must it be installed via a targeted attack? And is there a way of scanning for it to see if a phone is infected?

From what I was able to read previously, it has no ability to spread by itself and has to be installed by a targeted attack. There is also a tool from Amnesty International that can detect it (or was able to): https://github.com/mvt-project/mvt

It is a race though, so past info may no longer be valid. However, I doubt it will ever be able to spread by itself, since it uses very expensive zero days to infect and they will be quickly fixed after detection.