Check Iphone for Pegasus Spyware with Docker

Pegasus is spyware developed by a Israeli organisation that is being used by a lot of glowie organisations around the world to spy on people. Amnesty International developed a tool we can use to detect indicators of that spyware on your ios or android phone.

I will be using a Macbook M1 with Docker to complete this task.

Install Docker and give Docker full disk access. You can give Docker ful disk access by going to System Preferences > Security and Privacy > Privacy > Full Disk Access

Make a backup of your Iphone and encrypt it via Finder.

Build the MVT (MVTools) docker image:

git clone https://github.com/mvt-project/mvt.git
cd mvt
docker build -t mvt .

Run the Docker image and mount your iphone backup location

 docker run -it -v /Users/ilias/Library/Application\ Support/MobileSync/Backup:/backup mvt

Decrypt the backup with your password

mvt-ios decrypt-backup -pv 'YOURPASSWORD' -d decrypt '/backup/PHONE_UUID'

the UUID of the phone can be found in the backup location in Finder

Clone the Amnesty investigation files from Github

git clone https://github.com/AmnestyTech/investigations.git

Check your decrypted backup with the Pegasus investigation file.

mvt-ios check-backup -i investigations/2021-07-18_nso/pegasus.stix2 decrypt/

If you are or were invected with Pegasus you will get a list of suspicious data and results.