Check If Your Phone Is Infected With Pegasus Using MVT (Step-by-step Guide)
The revelation that our government might be using spyware called Pegasus to hack into its critics’ phones has started a whole new debate on privacy. The opposition is taking a dig at the ruling party every chance it gets, while the latter is trying to damage control after facing such serious allegations.
Amidst the chaos, one of the members of The Pegasus Project, Amnesty, recently made a public toolkit that can check if your phone is infected with Pegasus. The toolkit, known as MVT, requires users to know their way around the command line.
In a previous post, we wrote about how it works and successfully traces signs of Pegasus. Moreover, we mentioned how MVT is more effective on iOS than Android (the most you can do is scan APKs and SMSes). Hence, in this guide, we’re focusing on breaking down the process to detect Pegasus on iPhone into a step-by-step guide.
What is Pegasus?
Pegasus is a highly sophisticated spyware program developed by NSO Group, an Israeli cyber-arms company. It targets Android and iOS smartphones and can extract sensitive information from them. It gets its name “Pegasus”, which is a winged horse in Greek mythology, due to its ability to transmit over the air with zero user involvement.
Controversially, governments around the world are suspected to have used it on their adversaries, including high-profile journalists, activists, and opposition members.
How does Pegasus spyware infect phones?
Pegasus can enter a target’s device via a simple user interaction such as clicking of an SMS link. However, its intimidating potential lies in its ability to infect a targeted device remotely via its zero-click exploit. This means that even if there’s no risky action from the victim’s end, Pegasus can still enter his device.
When remote infection isn’t feasible, perpetrators can manually install the malware into a device or place a transceiver nearby for the same. To destroy any evidence of itself, Pegasus can also self-destruct and remove its every trace from a device.
What can Pegasus obtain?
There’s an alarming variety of personal and sensitive information Pegasus can obtain. It can access your device information, SMS, encrypted and non-encrypted texts, emails, call history, browser history, location data, passwords, camera, and mic. Furthermore, it can also fetch other data from the third-party apps installed on your Android or iOS device.
Additionally, Pegasus can perform certain tasks in an infected phone. It can record calls, take screenshots, capture camera or mic feed, toggle location sensor, upload local files to its server.
Steps to detect Pegasus on iPhone
First off, you’ll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you’ll have to install libimobiledevice beforehand for that.
Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system — if you don’t have it already. Here’s how you can install the same for Windows, macOS, and Linux.
After that, go through Amnesty’s manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line.
Finally, let’s go through the steps for detecting Pegasus on an iPhone backup using MVT. In this, you have to decrypt your data backup via a command. To do that, you’ll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path.
Note: Replace “/decrypted” with the directory where you want to store the decrypted backup and “/backup” with the directory where your encrypted backup is located.
mvt-ios decrypt-backup -p password -d /decrypted /backup
Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder.
To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path.
mvt-ios check-backup -o /output -i /pegasus.stix2 /backup
Note: Replace “/output” with the directory where you want to store the scan result, “/backup” with the path where your decrypted backup is stored, and “/pegasus.stix2” with the path where you downloaded the latest IOCs.
After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix “_detected,” then that means your iPhone data is most likely Pegasus-infected.
However, the IOCs are regularly updated by Amnesty’s team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.
Victims of Pegasus spyware
In recent years, multiple reports have revealed that several governments used Pegasus to monitor their critics and opposing forces. Here’s a list of countries where Pegasus attacks have reportedly taken place.
| Country | Target | Accused |
| Armenia | Current and former government figures | Armenian and Azerbaijani government |
| Azerbaijan | Journalists, activists | Azerbaijani government |
| Bahrain | Activists, journalists, political parties, government critics | Bahraini government |
| El Salvador | Journalists | Salvadorian government |
| Finland | Diplomats | No information |
| Hungary | Journalists, lawyers, political opposition | Hungarian government |
| India | Activists, journalists, bureaucrats, political opposition | Indian government |
| Israel | Activists, citizens, tourists, current and former government employees, corporate leaders, political opposition | Israeli government and authorities |
| Jordan | Hala Ahed Deeb | No information |
| Kazakhstan | Activists, journalists, government employees | No information |
| Mexico | Criminals, scientists, activists, | Mexican government, drug cartels |
| Morocco | Algerian politicians and military personnel, journalists political opposition | Morrocan government |
| Panama | Political opposition, magistrates, corporate leaders, personal contacts | Ricardo Martinelli |
| Palestine | Activists | No information |
| Poland | Lawyers, journalists, political opposition, government employees | Polish government |
| Rwanda | Activists | No information |
| Saudi Arabia | English and Qatari journalists, Kamel Jendoubi | Saudi Arabian government |
| Spain | Activists, scientists, lawyers, government employees | Spanish government |
| Togo | Government critics | Togolese government |
| Uganda | American diplomats and US embassy employees | Muhoozi Kainerugaba |
| The U. A. E | English journalists and Qatari journalists, Yemen government, activists, personal contacts, Boris Johnson | Emirati government, Mohammed bin Rashid Al Maktoum |
FAQs
Pegasus spyware can infect your phone either remotely or through some user interaction. That means, while it can enter your device from a link you click on, it can alternatively infect your device over the air without any action required from the target’s end.
Yes, if you click on the malicious link inside the message. However, in the case of Pegasus, the spyware can infect your phone even without any user interaction.
Pegasus is a highly sophisticated malicious software and doesn’t show any clear signs of its existence on a device.
In most cases, you can get rid of spyware by performing a factory reset, i.e. deleting all your device data. But, some spyware programs can even get past this solution and stay
