Check Iphone for Pegasus Spyware

Pegasus, a spyware created by an Israeli organization, is the go-to tool for many glowing agencies worldwide. They use it to snoop on unsuspecting individuals. Luckily, Amnesty International has developed a tool that can help us spot signs of this spyware on our iOS or Android devices.

I will be using a Macbook M1 with Docker to complete this task.

Install Docker and give Docker full disk access. You can give Docker ful disk access by going to System Preferences > Security and Privacy > Privacy > Full Disk Access

Make a backup of your Iphone and encrypt it via Finder.

Build the MVT (MVTools) docker image:

git clone
cd mvt
docker build -t mvt .

Run the Docker image and mount your iphone backup location

 docker run -it -v /Users/ilias/Library/Application\ Support/MobileSync/Backup:/backup mvt

Decrypt the backup with your password

mvt-ios decrypt-backup -pv 'YOURPASSWORD' -d decrypt '/backup/PHONE_UUID'

the UUID of the phone can be found in the backup location in Finder

Clone the Amnesty investigation files from Github

git clone

Check your decrypted backup with the Pegasus investigation file.

mvt-ios check-backup -i investigations/2021-07-18_nso/pegasus.stix2 decrypt/

If you see any fishy data and results, you might have caught Pegasus red-handed.

Contact | Github | RSS