Pegasus: The non-profit organization Amnesty International has released a manual on how to find out if a cell phone is infected with Pegasus spyware. The institution has identified attacks since 2014, but intensified its investigations from 2018, with the identification of “zero click” attacks, which do not require interaction from the target.
The organization’s Security Laboratory performed forensic analysis on several phones of journalists and human rights defenders. Investigators discovered traces left on iOS and Android devices after the spy program’s attack.
From this, Amnesty developed the Mobile Verification Toolkit (MVT), in open source, to help researchers and information security technicians detect these threats.
How to find out if your smartphone is infected with Pegasus
To identify the presence of spyware from the NSO group, it takes some technical knowledge and a little patience. Amnesty’s analytics tool seems to work best on iOS devices. On Android, the program has limited effectiveness, but it can identify malicious SMS messages and APKs.
Verification requires several steps. Below, we summarize the main actions to be taken to identify spying on an iPhone. As the process requires technical knowledge, do it at your own risk.
1. Download Anista’s MVT program.
2. Install Xcode available from the App Store.
3. Get Python3. The easiest way is to install the Homebrew package, with the command in the terminal:
ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)”
4. Install libimobiledevice using the command in the terminal:
brew install –HEAD libimobiledevice
5. Connect the device via USB cable and execute the command ideviceinfo.
6. Back up using iTunes or Finder on a Mac or PC.
7. Find the encrypted backup file and copy it to another folder.
8. Decrypt the backup file.
9. Check the log files extracted by MVT.
The Amnesty International MVT page provides instructions for analyzing Android phones, actions that can be performed from Linux, and additional steps that may be necessary in some cases.
After running the MVT, a list of warnings with suspicious files or behavior will be displayed. A program alert, however, does not necessarily mean that you have been infected.