How to run a check for the Pegasus spyware on your phone

Amnesty International has released a tool to check if your phone has been affected by Pegasus. The tool comes with a comprehensive set of instructions which enables users through the technical checking process. This would involve backing up the said phone to a separate computer; and then running a check on that backup.

This Amnesty International tool is command line or terminal based, thus some level of technical know-how and patience is prerequisite to running it.

See the steps imperative to getting it up and running:

It will take some amount of technical skill or a bit of patience
In its documentation, Amnesty says the analysis its tool can run on Android phone backups is limited, however the tool can still check for potentially malicious SMS messages and APKs. Again, we recommend following its instructions.

To check your iPhone, the easiest way to start is by making an encrypted backup either using iTunes or Finder on a Mac or PC. You’ll then need to locate that backup, which Apple provides instructions for. Linux users can follow Amnesty’s instructions on how to use the libimobiledevice command line tool to create a backup.

After getting a backup of your phone, you’ll then need to download and install Amnesty’s mvt program, which Amnesty also provides instructions for.

If you’re using a Mac to run the check, you’ll first need to install both Xcode, which can be downloaded from the App Store, and Python3 before you can install and run mvt. The easiest way to obtain Python3 is using a program called Homebrew, which can be installed and run from the Terminal. After installing these, you’ll be ready to run through Amnesty’s iOS instructions.

2. You’ll want to make sure your iPhone’s backup is encrypted
If you run into issues while trying to decrypt your backup, you’re not alone. The tool was giving me errors when I tried to point it to my backup, which was in the default folder. To solve this, I copied the backup folder from that default location into a folder on my desktop and pointed mvt to it. My command ended up looking like this:

(For illustration purposes only. Please use commands from Amnesty’s instructions, as it’s possible the program has been updated.)

mvt-ios decrypt-backup -p PASSWORD -d decrypt ~/Desktop/bkp/orig

When running the actual scan, you’ll want to point to an Indicators of Compromise file, which Amnesty provides in the form of a file called pegasus.stix2. Those who are brand-new to using the terminal may get tripped up on how to actually point to a file, but it’s relatively simple as long as you know where the file is. For beginners, I’d recommend downloading the stix2 file to your Mac’s Downloads folder. Then, when you get to the step where you’re actually running the check-backup command, add

-i ~/Downloads/pegasus.stix2

into the option section. For reference, my command ended up looking like this. (Again, this is for illustration purposes only. Trying to copy these commands and run them will result in an error):

mvt-ios check-backup -o logs –iocs ~/Downloads/pegasus.stix2 ~/Desktop/bkp/decrypt

(For reference, the ~/ is more or less acting as a shortcut to your user folder; so you don’t have to add in something like /Users/mitchell.)

Again, I’d recommend following along with Amnesty’s instructions and using its commands; as it’s always possible that the tool will have been updated. Security researcher @RayRedacted on Twitter also has a great thread going through some of the issues you may run into while running the tool and how to deal with them.

3. The investigation didn’t find evidence that US phones had been breached by Pegasus
As a final note, Amnesty only provides instructions for installing the tool on macOS and Linux systems. For those looking to run it on Windows, The Verge has confirmed the tool can be used by installing and using Windows Subsystem for Linux (WSL) and following Amnesty’s Linux instructions. Using WSL will require downloading and installing a Linux distro, like Ubuntu, which will take some time. It can, however, be done while you wait for your phone to backup.

After running mvt, you’ll see a list of warnings that either list suspicious files or behavior. It’s worth noting that a warning doesn’t necessarily mean you’ve been infected. For me, some redirects that were totally above board showed up in the section where it checked my Safari history (sheets.google.com redirecting to docs.google.com, reut.rs redirecting to reuters.com, etc). Likewise, I got a few errors; but only because the program was checking for apps that I don’t have installed on my phone.