Here’s how to check your phone for Pegasus spyware with Amnesty’s tool

Amnesty International — part of the group that monitors the news of journalists and heads of state becomes the target of NSO’s government-grade spyware, Pegasus – has released a tool to check if your phone is affected. In addition to the tool is: a great set of instructions, which should help you through the somewhat technical checking process. Using the tool involves backing up your phone to a separate computer and running a check on that backup. Read on if you’ve been looking at your phone since the news broke and are looking for help using Amnesty’s tool.

The first thing to note is that the tool is command line or terminal based, so it requires some technical skill or a little patience to use. We’re trying to cover a lot of what you need to know to get started here, but it’s something you need to know before jumping in.

The second note is that the analysis Amnesty is doing seems to work best for iOS devices. In its documentation, Amnesty says the analysis the tool can perform on Android phone backups is limited, but the tool can still check for potentially malicious Text messages and APKs. Again, we recommend follow the instructions.

To check your iPhone, the easiest way is to start creating an encrypted backup or with iTunes or Finder on a Mac or PC. You then need to find that backup, which Apple gives instructions in front of. Linux users can follow Amnesty’s Instructions on using the command line tool libimobiledevice to create a backup.

After backing up your phone, you need to download and install Amnesty’s mvt program, which is Amnesty also gives instructions in front of.

If you’re using a Mac to run the check, you’ll need to install both Xcode, which can be downloaded from the App Store, and Python3 before you can install and run mvt. The easiest way to get Python3 is by a . to use program called Homebrew, which can be installed and run from the Terminal. Once you’ve installed it, you’re ready to start reading Amnesty’s iOS Instructions.

If you’re having trouble decrypting your backup, you’re not alone. The tool gave me errors when I tried to point it to my backup, which was in the default folder. To fix this I copied the backup folder from that default location to a folder on my desktop and mvt referenced it. My assignment ended up looking like this:

(For illustrative purposes only. Use the commands from Amnesty’s instructions, as the program may have been updated.)

mvt-ios decrypt-backup -p PASWORD -d decrypt ~/Desktop/bkp/orig

When you run the actual scan, you should reference an Indicators of Compromise file, which: Amnesty offers in the form of a file called pegasus.stix2. Those who are completely new to using the terminal may stumble upon how to actually reference a file, but it’s relatively easy as long as you know where the file is. For beginners, I recommend downloading the stix2 file to your Mac’s Downloads folder. Then when you get to the step where you run the check-backup command, add

-i ~/Downloads/pegasus.stix2

in the options section. For reference, my assignment ended up looking like this. (Again, this is for illustration only. Attempting to copy and run these commands will result in an error):

mvt-ios check-backup -o logs –iocs ~/Downloads/pegasus.stix2 ~/Desktop/bkp/decrypt

(For reference, the ~/ acts more or less as a shortcut to your user directory, so you don’t need to add something like /Users/mitchell.)

Again, I recommend following Amnesty’s instructions and using the corresponding commands, as it’s always possible that the tool has been updated. Security researcher @RayRedacted on Twitter also has a great thread going through some of the issues you may encounter while running the tool and how to deal with them.

As a final note, Amnesty only provides instructions for installing the tool on macOS and Linux systems. For those who want to run it on Windows, The edge has confirmed that the tool can be used by: Installing and Using Windows Subsystem for Linux (WSL) and according to Amnesty’s Linux instructions. Using WSL requires downloading and installing a Linux distro, such as Ubuntu, which will take some time. However, it can be done while you wait for your phone to back up.

After running mv, you will see a list of warnings that mention suspicious files or behavior. It is worth noting that a warning does not necessarily mean you are infected. For me, some redirects that were completely above the board appeared in the section where it checked my Safari history (sheets.google.com redirects to docs.google.com, reut.rs redirects to reuters.com, etc). Likewise, I got a few errors, but only because the program was looking for apps that I didn’t install on my phone.

The story surrounding Pegasus has probably left many of us with a little more suspicion than usual regarding our phones, regardless of whether we’re likely to be targeted by a nation-state. While running the tool can (hopefully) help allay some fears, for many Americans it probably isn’t a necessary precaution. NSO Group has said its software cannot be used on phones with US numbers, according to The Washington Post, and the investigation found no evidence that American phones had been successfully hacked by Pegasus.

While it’s nice to see Amnesty making this tool available with solid documentation, it only really helps address the privacy issues surrounding Pegasus. As we’ve seen recently, it doesn’t take a government targeting your phone’s microphone and camera to get private information — the data brokerage industry can sell your location history even if your phone is Pegasus-free.