You Can Now Check Your iPhone To See If It’s Infected With Pegasus Spyware
There have been a ton of news over the last day or so relating to the Pegasus spyware from NSO Group. The software is used by people who want to spy on people without their knowledge and it’s been found of late on devices owned by journalists, government officials, and more. While it’s highly unlikely that you’ll be infected by Pegasus, there is a way to confirm. But it isn’t a fun process.
According to a report by TechCrunch, a free software download is all you need to get the ball rolling. But you’ll need to give the tool access to a recent iPhone backup for it to do its thing. TechCrunch says the whole thing takes ten minutes if you already have the backup ready to go.
Here’s how TechCrunch explains the process.
The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.
The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about 10 minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.
Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files.
You can download the tool from GitHub right now and that’s where you’ll find the documentation you need, too. Whether it’s worth the hassle is another matter, but if you’re worried you at least now have the tool you need to check.