Here’s how to check your phone for Pegasus spyware using Amnesty’s tool


Amnesty International — part of the group that helped break the news of journalists and heads of state being targeted by NSO’s government-grade spyware, Pegasus — has released a tool to check if your phone has been affected. Alongside the tool is a great set of instructions, which should help you through the somewhat technical checking process. Using the tool involves backing up your phone to a separate computer and running a check on that backup. Read on if you’ve been side-eyeing your phone since the news broke and are looking for guidance on using Amnesty’s tool.

The first thing to note is the tool is command line or terminal based, so it will take either some amount of technical skill or a bit of patience to run. We try to cover a lot of what you need to know to get up and running here, but it’s something to know before jumping in.

The second note is that the analysis Amnesty is running seems to work best for iOS devices. In its documentation, Amnesty says the analysis its tool can run on Android phone backups is limited, but the tool can still check for potentially malicious SMS messages and APKs. Again, we recommend following its instructions.

To check your iPhone, the easiest way to start is by making an encrypted backup either using iTunes or Finder on a Mac or PC. You’ll then need to locate that backup, which Apple provides instructions for. Linux users can follow Amnesty’s instructions on how to use the libimobiledevice command line tool to create a backup.

After getting a backup of your phone, you’ll then need to download and install Amnesty’s mvt program, which Amnesty also provides instructions for.

If you’re using a Mac to run the check, you’ll first need to install both Xcode, which can be downloaded from the App Store, and Python3 before you can install and run mvt. The easiest way to obtain Python3 is using a program called Homebrew, which can be installed and run from the Terminal. After installing these, you’ll be ready to run through Amnesty’s iOS instructions.

If you run into issues while trying to decrypt your backup, you’re not alone. The tool was giving me errors when I tried to point it to my backup, which was in the default folder. To solve this, I copied the backup folder from that default location into a folder on my desktop and pointed mvt to it. My command ended up looking like this:

(For illustration purposes only. Please use commands from Amnesty’s instructions, as it’s possible the program has been updated.)

mvt-ios decrypt-backup -p PASSWORD -d decrypt ~/Desktop/bkp/orig

When running the actual scan, you’ll want to point to an Indicators of Compromise file, which Amnesty provides in the form of a file called pegasus.stix2. Those who are brand-new to using the terminal may get tripped up on how to actually point to a file, but it’s relatively simple as long as you know where the file is. For beginners, I’d recommend downloading the stix2 file to your Mac’s Downloads folder. Then, when you get to the step where you’re actually running the check-backup command, add

-i ~/Downloads/pegasus.stix2

into the option section. For reference, my command ended up looking like this. (Again, this is for illustration purposes only. Trying to copy these commands and run them will result in an error):

mvt-ios check-backup -o logs –iocs ~/Downloads/pegasus.stix2 ~/Desktop/bkp/decrypt

(For reference, the ~/ is more or less acting as a shortcut to your user folder, so you don’t have to add in something like /Users/mitchell.)

Again, I’d recommend following along with Amnesty’s instructions and using its commands, as it’s always possible that the tool will have been updated. Security researcher @RayRedacted on Twitter also has a great thread going through some of the issues you may run into while running the tool and how to deal with them.

As a final note, Amnesty only provides instructions for installing the tool on macOS and Linux systems. For those looking to run it on Windows, The Verge has confirmed the tool can be used by installing and using Windows Subsystem for Linux (WSL) and following Amnesty’s Linux instructions. Using WSL will require downloading and installing a Linux distro, like Ubuntu, which will take some time. It can, however, be done while you wait for your phone to backup.

After running mvt, you’ll see a list of warnings that either list suspicious files or behavior. It’s worth noting that a warning doesn’t necessarily mean you’ve been infected. For me, some redirects that were totally above board showed up in the section where it checked my Safari history (sheets.google.com redirecting to docs.google.com, reut.rs redirecting to reuters.com, etc). Likewise, I got a few errors, but only because the program was checking for apps that I don’t have installed on my phone.

The story around Pegasus has likely left many of us regarding our phones with a bit more suspicion than usual, regardless of whether we’re likely to be targeted by a nation-state. While running the tool could (hopefully) help to ease some fears, it’s probably not a necessary precaution for many Americans. NSO Group has said its software cannot be used on phones with US numbers, according to The Washington Post, and the investigation didn’t find any evidence that US phones had been successfully breached by Pegasus.

While it’s nice to see that Amnesty made this tool available with solid documentation, it only really helps to address the privacy concerns around Pegasus. As we’ve seen recently, it doesn’t take a government targeting your phone’s microphone and camera to get private information — the data broker industry could be selling your location history even if your phone is Pegasus-free.