Pegasus, a spyware created by an Israeli organization, is the go-to tool for many glowing agencies worldwide. They use it to snoop on unsuspecting individuals. Luckily, Amnesty International has developed a tool that can help us spot signs of this spyware on our iOS or Android devices.
I will be using a Macbook M1 with Docker to complete this task.
Install Docker and give Docker full disk access. You can give Docker ful disk access by going to System Preferences > Security and Privacy > Privacy > Full Disk Access
Make a backup of your Iphone and encrypt it via Finder.
Build the MVT (MVTools) docker image:
git clone https://github.com/mvt-project/mvt.git cd mvt docker build -t mvt .
Run the Docker image and mount your iphone backup location
docker run -it -v /Users/ilias/Library/Application\ Support/MobileSync/Backup:/backup mvt
Decrypt the backup with your password
mvt-ios decrypt-backup -pv 'YOURPASSWORD' -d decrypt '/backup/PHONE_UUID'
the UUID of the phone can be found in the backup location in Finder
Clone the Amnesty investigation files from Github
git clone https://github.com/AmnestyTech/investigations.git
Check your decrypted backup with the Pegasus investigation file.
mvt-ios check-backup -i investigations/2021-07-18_nso/pegasus.stix2 decrypt/
If you see any fishy data and results, you might have caught Pegasus red-handed.