Pegasus Spyware Signs Can Be Detected on Your Phone Using This Dedicated Tool


Pegasus spyware from Israel-based NSO Group was found to have allegedly helped governments in countries, including India, to hack into the phones of thousands of activists, journalists, and politicians. An international consortium of news outlets revealed some details of the targets in the last couple of days. However, the scope of targeted attacks through Pegasus is yet to be defined. Meanwhile, researchers at Amnesty International have developed a tool to let you see whether your phone is targeted by the spyware.

Called Mobile Verification Toolkit (MVT), the tool is aimed to help you identify if the Pegasus spyware has targeted your phone. It works with both Android and iOS devices, though the researchers noted that it is easier to find the signs of compromise on iPhone handsets over an Android device due to more forensic traces available on the Apple hardware.

“In Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices, therefore our methodology is focused on the former,” the non-governmental organisation said in its research.

Users need to generate a backup of their data to let MVT decrypt locally stored files on their phone to look for Pegasus indicators. However, in case of a jailbreak iPhone, a full filesystem dump can also be used for the analysis.

In its current stage, MVT requires some command line knowledge. It may, however, receive a graphical user interface (GUI) over time. The tool’s code is also open source and is available along with its detailed documentation through GitHub.

Once a backup is created, MVT uses known indicators such as domain names and binaries to look for traces related to NSO’s Pegasus. The tool is also capable of decrypting iOS backups if they are encrypted. Further, it extracts installed apps and diagnostic information from Android devices to analyse data for any potential compromise.

MVT requires at least Python 3.6 to run on a system. If you are on a Mac machine, it also needs to have Xcode and Homebrew installed. You also need to install dependencies if you want to look for forensic traces on an Android device.

After you are done with the installation of MVT on your system, you need to feed in Amnesty’s indicators of compromise (IOCs) that are available on GitHub.

As reported by TechCrunch, there might be an instance in which the tool may find a possible compromise that might be a false positive and needs to be removed from the available IOCs. You can, however, read the organisation’s forensic methodology report to check out the known indicators and look for them in your backup.

In collaboration with Amnesty International, Paris-based journalism nonprofit Forbidden Stories shared a list of more than 50,000 phone numbers with the news outlet consortium Pegasus Project. Of the total numbers, journalists were able to find more than a thousand individuals in 50 countries who were allegedly targeted by the Pegasus spyware.

The list of targets included journalists working for organisations including The Associated Press, Reuters, CNN, The Wall Street Journal, and India’s The Wire, among others. Some political figures including Rahul Gandhi of the Indian National Congress and political strategist Prashant Kishore were also recently claimed to be a part of the targets.


Leave a Reply

Your email address will not be published. Required fields are marked *