Skip to main content

Here’s how to check your phone for Pegasus spyware using Amnesty’s tool

Here’s how to check your phone for Pegasus spyware using Amnesty’s tool

/

The process involves some terminal work, but it’s relatively straightforward

Share this story

Illustration by Alex Castro / The Verge

Amnesty International — part of the group that helped break the news of journalists and heads of state being targeted by NSO’s government-grade spyware, Pegasus — has released a tool to check if your phone has been affected. Alongside the tool is a great set of instructions, which should help you through the somewhat technical checking process. Using the tool involves backing up your phone to a separate computer and running a check on that backup. Read on if you’ve been side-eyeing your phone since the news broke and are looking for guidance on using Amnesty’s tool.

The first thing to note is the tool is command line or terminal based, so it will take either some amount of technical skill or a bit of patience to run. We try to cover a lot of what you need to know to get up and running here, but it’s something to know before jumping in.

It will take some amount of technical skill or a bit of patience

The second note is that the analysis Amnesty is running seems to work best for iOS devices. In its documentation, Amnesty says the analysis its tool can run on Android phone backups is limited, but the tool can still check for potentially malicious SMS messages and APKs. Again, we recommend following its instructions.

To check your iPhone, the easiest way to start is by making an encrypted backup either using iTunes or Finder on a Mac or PC. You’ll then need to locate that backup, which Apple provides instructions for. Linux users can follow Amnesty’s instructions on how to use the libimobiledevice command line tool to create a backup.

After getting a backup of your phone, you’ll then need to download and install Amnesty’s mvt program, which Amnesty also provides instructions for.

If you’re using a Mac to run the check, you’ll first need to install both Xcode, which can be downloaded from the App Store, and Python3 before you can install and run mvt. The easiest way to obtain Python3 is using a program called Homebrew, which can be installed and run from the Terminal. After installing these, you’ll be ready to run through Amnesty’s iOS instructions.

You’ll want to make sure your iPhone’s backup is encrypted with a password

If you run into issues while trying to decrypt your backup, you’re not alone. The tool was giving me errors when I tried to point it to my backup, which was in the default folder. To solve this, I copied the backup folder from that default location into a folder on my desktop and pointed mvt to it. My command ended up looking like this:

(For illustration purposes only. Please use commands from Amnesty’s instructions, as it’s possible the program has been updated.)

mvt-ios decrypt-backup -p PASSWORD -d decrypt ~/Desktop/bkp/orig 

When running the actual scan, you’ll want to point to an Indicators of Compromise file, which Amnesty provides in the form of a file called pegasus.stix2. Those who are brand-new to using the terminal may get tripped up on how to actually point to a file, but it’s relatively simple as long as you know where the file is. For beginners, I’d recommend downloading the stix2 file to your Mac’s Downloads folder. Then, when you get to the step where you’re actually running the check-backup command, add

-i ~/Downloads/pegasus.stix2

into the option section. For reference, my command ended up looking like this. (Again, this is for illustration purposes only. Trying to copy these commands and run them will result in an error):

mvt-ios check-backup -o logs --iocs ~/Downloads/pegasus.stix2 ~/Desktop/bkp/decrypt

(For reference, the ~/ is more or less acting as a shortcut to your user folder, so you don’t have to add in something like /Users/mitchell.)

Again, I’d recommend following along with Amnesty’s instructions and using its commands, as it’s always possible that the tool will have been updated. Security researcher @RayRedacted on Twitter also has a great thread going through some of the issues you may run into while running the tool and how to deal with them.

The investigation didn’t find evidence that US phones had been breached by Pegasus

As a final note, Amnesty only provides instructions for installing the tool on macOS and Linux systems. For those looking to run it on Windows, The Verge has confirmed the tool can be used by installing and using Windows Subsystem for Linux (WSL) and following Amnesty’s Linux instructions. Using WSL will require downloading and installing a Linux distro, like Ubuntu, which will take some time. It can, however, be done while you wait for your phone to backup.

After running mvt, you’ll see a list of warnings that either list suspicious files or behavior. It’s worth noting that a warning doesn’t necessarily mean you’ve been infected. For me, some redirects that were totally above board showed up in the section where it checked my Safari history (sheets.google.com redirecting to docs.google.com, reut.rs redirecting to reuters.com, etc). Likewise, I got a few errors, but only because the program was checking for apps that I don’t have installed on my phone.

The story around Pegasus has likely left many of us regarding our phones with a bit more suspicion than usual, regardless of whether we’re likely to be targeted by a nation-state. While running the tool could (hopefully) help to ease some fears, it’s probably not a necessary precaution for many Americans. NSO Group has said its software cannot be used on phones with US numbers, according to The Washington Post, and the investigation didn’t find any evidence that US phones had been successfully breached by Pegasus.

While it’s nice to see that Amnesty made this tool available with solid documentation, it only really helps to address the privacy concerns around Pegasus. As we’ve seen recently, it doesn’t take a government targeting your phone’s microphone and camera to get private information — the data broker industry could be selling your location history even if your phone is Pegasus-free.

Today’s Storystream

Feed refreshed 7 minutes ago Not just you

E
External Link
Emma Roth7 minutes ago
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.


E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.


J
Twitter
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.


T
Twitter
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.


A
External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.


A
External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.