How To Use the Mobile Verification Toolkit – Pegasus Check

If you’re like many other people, you want to know if your government used Pegasus to spy on your smartphone. The good news is that Amnesty International recently released a tool that you can use to check if software like Pegasus was used to target your smartphone device.

Even better, Amnesty has provided users with a helpful guide that anyone can follow to learn how to use the Mobile Verification Toolkit for Pegasus Check. The process is somewhat technical, but if you follow the instructions you’ll be able to check your device. Essentially, you’ll have to backup your phone data on a computer using the tools mentioned in the guide and then run a few tests on the backup file.

An image featuring a person holding his phone that has an antivirus logo on it and behind it green code representing mobile verification toolkit concept

Now, you won’t have an app with a nice GUI to do all the work here. Instead, you’ll have to use the terminal or command line to use the tool. This may seem intimidating at first, but you should have no trouble navigating through the process as long as you follow Amnesty’s instructions. They have instructions for both iOS and Android devices.

Alternatively, you can follow the steps that we’ve laid out below. We’ve focused on the steps needed to check an iOS device, but the process is similar for an Android device.

An image featuring mobile safety concept

First, make an encrypted backup by following these instructions. When that’s done, you need to locate the backup on your Mac. If you’re on the Linux platform that’s even better since Amnesty International itself provides instructions for that platform. On Linux, you’ll have to use a command-line tool by the name of libimobiledevice to generate a backup.

Once you’ve completed the backup process, you need to get the MVT program from Amnesty by following the instructions found here. Mac users need to ensure that they also have Python 3 and Xcode on their computers. Xcode can be found in the App Store, but Python 3 will need to be installed by first installing Homebrew and then searching for Python 3. Once this is done, Mac users can then run the MVT application.

Note:

Only after you’ve gone through these steps should you follow the Amnesty International iOS instructions for Pegasus infection.

Sometimes when you try to pick your backup to feed to the MVT program it may give you an error. A solution that may work for you is to move your backup from the default location to someplace easier to access, like your desktop, and then pick the backup file via the MVT program from there.

To use the MVT tools after you’ve created a backup, you first have to decrypt your backup. The pages we’ve linked to above go through the steps you need to take for decryption. The current command for decrypting a backup for iOS devices is:

mvt-ios decrypt-backup -p password -d /path/to/decrypted /path/to/backup

An image featuring mobile safety concept

The last two portions of the above command will change depending on where you have the backup and where you want it decrypted. Since these parts of the command can change, it’s important that you follow the instructions in the links we’ve included.

After that, you’ll run the scan on your backup file. When doing that, you have to point to Amnesty’s Indicators of Compromise file.

You can get that file from here. The file you’re looking for is named pegasus.stix2.

Assuming you know where you downloaded the file, you can make the process simpler by adding the command:

-i ~/Downloads/pegasus.stix2

when you’re running the command for checking your backup. Look for the options section to get to the input field for the above command. For example, the basic command for checking an iOS backup with MVT (assuming you did your backup via iTunes) is:

mvt-ios check-backup –output /path/to/output/ /path/to/backup/udid/

But if you want to specify the STIX2 file you downloaded to check against the previously mentioned malicious indicators then the command will change a bit. It will now be something like this:

mvt-ios check-backup -o logs –iocs ~/Downloads/pegasus.stix2 /path/to/backup/udid/

The -o addition to the basic command logs the output in the provided path. And the –iocs argument allows you to specify the STIX2 file. That’s followed by the location of the backup file. Again, it is always better if you follow the instructions given on the Amnesty International page for MVT for Pegasus check because new developments may have changed the commands.

An image featuring the Amnesty International logo and text zoomed in

Another thing we should mention here is that the Amnesty International page for MVT Pegasus check provides instructions for Linux and macOS systems only.

Windows users will have to install WSL or Windows Subsystem for Linux applications and then continue with the default Linux instructions given on Amnesty International’s MVT page. You’ll need a Linux distribution to run the program and you’re free to choose any version you like.

What Will Happen When You Run MVT Commands?

After you go through this process, you should see a list of warnings of suspicious behavior and files. Of course, not all warnings will mean that your phone was hacked and spied on. You’ll have to check each result to see where it leads.

An image featuring mobile safety concept

Conclusion

The Pegasus check tool is useful but isn’t always accurate. TechCrunch reported that it may find compromised files that aren’t actually compromised. In other words, watch out for false positives.

As always you’ll have to keep an eye on the forensic methodology report from Amnesty International to catch malicious indicators and see if they’re present in your copy of your phone’s backup file.

Zohair A. Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.