How To Check If Your iPhone Is Infected With Pegasus Using MVT

The revelation that our government might be using spyware called Pegasus to hack into its critics’ phones has started a whole new debate on privacy. The opposition is taking a dig at the ruling party every chance it gets, while the latter is trying to damage control after facing such serious allegations.

Amidst the chaos, one of the members of The Pegasus Project, Amnesty, recently made a public toolkit that can check if your phone is infected with Pegasus. The toolkit, known as MVT, requires users to know their way around the command line.

In a previous post, we wrote about how it works and successfully traces signs of Pegasus. Moreover, we mentioned how MVT is more effective on iOS than Android (the most you can do is scan APKs and SMSes). Hence, in this guide, we’re focusing on breaking down the process to detect Pegasus on iPhone into a step-by-step guide.

First off, you’ll need to create an encrypted backup and transfer it to either a Mac or PC. You can also do this on Linux instead, but you’ll have to install libimobiledevice beforehand for that.

Once the phone backup is transferred, you need to download Python 3.6 (or newer) on your system — if you don’t have it already. Here’s how you can install the same for Windows, macOS, and Linux.

After that, go through Amnesty’s manual to install MVT correctly on your system. Installing MVT will give you new utilities (mvt-ios and mvt-android) that you can use in the Python command line.

Now, let’s go through the steps for detecting Pegasus on an iPhone backup using MVT.

Steps To Detect Pegasus On iPhone

First of all, you have to decrypt your data backup. To do that, you’ll need to enter the following instruction format while replacing the placeholder text (marked with a forward slash) with your custom path.

mvt-ios decrypt-backup -p password -d /decrypted /backup

Note: Replace “/decrypted” with the directory where you want to store the decrypted backup and “/backup” with the directory where your encrypted backup is located.

Now, we will run a scan on the decrypted backup, referencing it with the latest IOCs (possible signs of Pegasus spyware), and store the result in an output folder.

To do this, first, download the newest IOCs from here (use the folder with the latest timestamp). Then, enter the instruction format as given below with your custom directory path.

mvt-ios check-backup -o /output -i /pegasus.stix2 /backup

Note: Replace “/output” with the directory where you want to store the scan result, “/backup” with the path where your decrypted backup is stored, and “/pegasus.stix2” with the path where you downloaded the latest IOCs.

After the scan completion, MVT will generate JSON files in the specified output folder. If there is a JSON file with the suffix “_detected,” then that means your iPhone data is most likely Pegasus-infected.

However, the IOCs are regularly updated by Amnesty’s team as they develop a better understanding of how Pegasus operates. So, you might want to keep running scans as the IOCs are updated to make sure there are no false positives.

Source: How To Check If Your Phone Is Infected With Pegasus Using MVT

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft