Skip to main content
  1. Posts/

Check Iphone for Pegasus Spyware with Docker

·1 min

Pegasus is spyware developed by a Israeli organisation that is being used by a lot of glowie organisations around the world to spy on people. Amnesty International developed a tool we can use to detect indicators of that spyware on your ios or android phone.

I will be using a Macbook M1 with Docker to complete this task.

Install Docker and give Docker full disk access. You can give Docker ful disk access by going to System Preferences > Security and Privacy > Privacy > Full Disk Access

Make a backup of your Iphone and encrypt it via Finder.

Build the MVT (MVTools) docker image:

git clone
cd mvt
docker build -t mvt .

Run the Docker image and mount your iphone backup location

 docker run -it -v /Users/ilias/Library/Application\ Support/MobileSync/Backup:/backup mvt

Decrypt the backup with your password

mvt-ios decrypt-backup -pv 'YOURPASSWORD' -d decrypt '/backup/PHONE_UUID'

the UUID of the phone can be found in the backup location in Finder

Clone the Amnesty investigation files from Github

git clone

Check your decrypted backup with the Pegasus investigation file.

mvt-ios check-backup -i investigations/2021-07-18_nso/pegasus.stix2 decrypt/

If you are or were invected with Pegasus you will get a list of suspicious data and results.