Check If Your Phone Is Infected With Pegasus Using MVT (Step-by-step Guide)

how to check if your phone is infected by pegasus

The revelation that our government might be using spyware called Pegasus to hack into its critics’ phones has started a whole new debate on privacy. The opposition is taking a dig at the ruling party every chance it gets, while the latter is trying to damage control after facing such serious allegations.

Amidst the chaos, one of the members of The Pegasus Project, Amnesty, recently made a public toolkit that can check if your phone is infected with Pegasus. The toolkit, known as MVT, requires users to know their way around the command line.

In a previous post, we wrote about how it works and successfully traces signs of Pegasus. Moreover, we mentioned how MVT is more effective on iOS than Android (the most you can do is scan APKs and SMSes). Hence, in this guide, we’re focusing on breaking down the process to detect Pegasus on iPhone into a step-by-step guide.

What is Pegasus?

Pegasus is a highly sophisticated spyware program developed by NSO Group, an Israeli cyber-arms company. It targets Android and iOS smartphones and can extract sensitive information from them. It gets its name “Pegasus”, which is a winged horse in Greek mythology, due to its ability to transmit over the air with zero user involvement.

Controversially, governments around the world are suspected to have used it on their adversaries, including high-profile journalists, activists, and opposition members.

How does Pegasus spyware infect phones?

Pegasus can enter a target’s device via a simple user interaction such as clicking of an SMS link. However, its intimidating potential lies in its ability to infect a targeted device remotely via its zero-click exploit. This means that even if there’s no risky action from the victim’s end, Pegasus can still enter his device.

When remote infection isn’t feasible, perpetrators can manually install the malware into a device or place a transceiver nearby for the same. To destroy any evidence of itself, Pegasus can also self-destruct and remove its every trace from a device.

What can Pegasus obtain?

There’s an alarming variety of personal and sensitive information Pegasus can obtain. It can access your device information, SMS, encrypted and non-encrypted texts, emails, call history, browser history, location data, passwords, camera, and mic. Furthermore, it can also fetch other data from the third-party apps installed on your Android or iOS device.

Additionally, Pegasus can perform certain tasks in an infected phone. It can record calls, take screenshots, capture camera or mic feed, toggle location sensor, upload local files to its server.

Steps to detect Pegasus on iPhone

First off, you’ll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you’ll have to install libimobiledevice beforehand for that.

Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system — if you don’t have it already. Here’s how you can install the same for Windows, macOS, and Linux.

After that, go through Amnesty’s manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line.

Finally, let’s go through the steps for detecting Pegasus on an iPhone backup using MVT. In this, you have to decrypt your data backup via a command. To do that, you’ll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path.

Note: Replace “/decrypted” with the directory where you want to store the decrypted backup and “/backup” with the directory where your encrypted backup is located.

mvt-ios decrypt-backup -p password -d /decrypted /backup

Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder.

To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path.

mvt-ios check-backup -o /output -i /pegasus.stix2 /backup

Note: Replace “/output” with the directory where you want to store the scan result, “/backup” with the path where your decrypted backup is stored, and “/pegasus.stix2” with the path where you downloaded the latest IOCs.

After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix “_detected,” then that means your iPhone data is most likely Pegasus-infected.

However, the IOCs are regularly updated by Amnesty’s team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.

Victims of Pegasus spyware

In recent years, multiple reports have revealed that several governments used Pegasus to monitor their critics and opposing forces. Here’s a list of countries where Pegasus attacks have reportedly taken place.

ArmeniaCurrent and former government figuresArmenian and Azerbaijani government
AzerbaijanJournalists, activistsAzerbaijani government
BahrainActivists, journalists, political parties, government criticsBahraini government
El SalvadorJournalistsSalvadorian government
FinlandDiplomatsNo information
HungaryJournalists, lawyers, political oppositionHungarian government
IndiaActivists, journalists, bureaucrats, political oppositionIndian government
IsraelActivists, citizens, tourists, current and former government employees, corporate leaders, political oppositionIsraeli government and authorities
JordanHala Ahed DeebNo information
KazakhstanActivists, journalists, government employeesNo information
MexicoCriminals, scientists, activists, Mexican government, drug cartels
MoroccoAlgerian politicians and military personnel, journalists political oppositionMorrocan government
PanamaPolitical opposition, magistrates, corporate leaders, personal contactsRicardo Martinelli
PalestineActivistsNo information
PolandLawyers, journalists, political opposition, government employeesPolish government
RwandaActivistsNo information
Saudi ArabiaEnglish and Qatari journalists, Kamel JendoubiSaudi Arabian government
SpainActivists, scientists, lawyers, government employeesSpanish government
TogoGovernment criticsTogolese government
UgandaAmerican diplomats and US embassy employeesMuhoozi Kainerugaba
The U. A. EEnglish journalists and Qatari journalists, Yemen government, activists, personal contacts, Boris JohnsonEmirati government, Mohammed bin Rashid Al Maktoum


How does Pegasus get on your phone?

Pegasus spyware can infect your phone either remotely or through some user interaction. That means, while it can enter your device from a link you click on, it can alternatively infect your device over the air without any action required from the target’s end.

Can spyware be installed via text message?

Yes, if you click on the malicious link inside the message. However, in the case of Pegasus, the spyware can infect your phone even without any user interaction.

What signs does a Pegasus-infected phone show?

Pegasus is a highly sophisticated malicious software and doesn’t show any clear signs of its existence on a device.

Can spyware survive a factory reset?

In most cases, you can get rid of spyware by performing a factory reset, i.e. deleting all your device data. But, some spyware programs can even get past this solution and stay

Similar Posts