Pegasus

The Pegasus spyware made by the Israel-based company NSO Group has been used in targeted surveillance attacks against activists, journalists and businesspeople. Its details, and methods to detect it, were revealed by CitizenLab (hacks from the Bahraini government on activists) with a forensic methodology report made available by Amnesty International.

Because both the tools and the indicators of compromise are made available it’s fairly easy to do these checks yourself.

Environment

Setup a Python virtual environment with python 3 and activate the virtual environment.

virtualenv mvt
source mvt/bin/activate

Install the Mobile Verification Toolkit in that virtual environment.

pip3 install mvt

Get a backup from your iPhone. If you do backups with an Apple computer (OSX) you can find them at

/Users/John/Library/Application Support/MobileSync/Backup

Copy the latest backup to the Linux environment where you installed mvt. Note that you can install mvt also on your OSX but I prefer to use it in a Linux system.

You then have to decrypt the backup.

mvt-ios decrypt-backup -p -d /path/to/decrypted_iphone /path/to/backup

Make sure that /path/to/backup is local to the system where you run mvt. I was unable to execute it when the iPhone backup was mounted via a remote file system.

Fetch the latest indicators from https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso. These are in STIX2 format, you need the file pegasus.stix2.

Then verify your decrypted backup.

mvt-ios check-backup -i pegasus.stix2 -o /path/to/output /path/to/decrypted_iphone

It’s not abnormal to see a list of warnings or errors.

In the output folder you’ll find a bunch of JSON files. Check if any of these files contain a suffix _detected.

Delete the decrypted backup from your system, as well as the output files.