DIY Pegasus Spyware Scan

You have probably heard the news that Pegasus, the spyware created by NSO Group, is still potentially infecting targeted fully-patched Android and iOS phones. The new interest in this software comes after a list of over 50,000 phone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 was leaked to several media outlets. The leak itself provides no evidence of any infection or compromise, but that shouldn't stop websites from panic-brokering in order to sell ad clicks. One of the main announcements came from The Guardian, which delivers 22 trackers to your browser if you want to read their version of the story.

I highly doubt you have Pegasus on your device, but countless people have been asking me about ways to scan for potential infection. The following could be executed on a Mac computer to check an iPhone.

Make sure you have Brew installed. If you do not, execute the following within Terminal:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

After you have Brew installed, execute the following commands within Terminal.

brew install python3
brew install python3 libusb
pip3 install mvt

You now have the MVT tool which can scan for CURRENT Pegasus infection.However, it cannot scan a mobile device directly. You must generate an iOS backup through the Finder app by connecting your device via USB, selecting the device within Finder, then choosing "Back Up Now".

Since I encrypt my device backups, I must first make a decrypted version. If you do not encrypt your backups. Skip this step. Enter the following within Terminal but do not execute.

mvt-ios decrypt-backup -p THE.PASSWORD.TO.YOUR.DEVICE.BACKUP -d ~/Desktop/decrypted/

Open Finder and navigate to your home directory, then locate Library/Application Support/MobileSync/Backup. Find the randomly generated folder in this directory and drag and drop it into Terminal at the end of your previous command. The entire command should now be similar to the following.

mvt-ios decrypt-backup -p PASSWORD -d ~/Desktop/decrypted/ /Users/YOURUSERNAME/Library/Application\ Support/MobileSync/Backup/5587346598736592834765928345932

This command will decrypt your backup and store it on your Desktop. The following command will scan this backup.

mvt-ios check-backup ~/Desktop/decrypted/ --output ~/Desktop/results/

You now have a folder on your Desktop with the results. Look through it for any files which end in "_detected.json". These COULD indicate infection, but the content would need to be scrutinized.

Android users have a bit more hassle. See the official MVT docs at https://mvt.readthedocs.io/en/latest/ios/records.html if you want to check your own system.

I highly suspect that you do not have any infection, but these steps could set your mind at ease if you believe you were targeted by this software between 2016 and today. All of my devices were clean.