Check Your Iphone for Pegasus Spyware

Pegasus, a spyware created by an Israeli organization, is the go-to tool for many glowing agencies worldwide. They use it to snoop on unsuspecting individuals. Luckily, Amnesty International has developed a tool that can help us spot signs of this spyware on our iOS or Android devices.

I will be using a Macbook M1 with Docker to complete this task.

Install Docker and give Docker full disk access. You can give Docker ful disk access by going to System Preferences > Security and Privacy > Privacy > Full Disk Access

Make a backup of your Iphone and encrypt it via Finder.

Build the MVT (MVTools) docker image:

git clone https://github.com/mvt-project/mvt.git
cd mvt
docker build -t mvt .

Run the Docker image and mount your iphone backup location

 docker run -it -v /Users/ilias/Library/Application\ Support/MobileSync/Backup:/backup mvt

Decrypt the backup with your password

mvt-ios decrypt-backup -pv 'YOURPASSWORD' -d decrypt '/backup/PHONE_UUID'

the UUID of the phone can be found in the backup location in Finder

Clone the Amnesty investigation files from Github

git clone https://github.com/AmnestyTech/investigations.git

Check your decrypted backup with the Pegasus investigation file.

mvt-ios check-backup -i investigations/2021-07-18_nso/pegasus.stix2 decrypt/

If you see any fishy data and results, you might have caught Pegasus red-handed.