How to Check if Your iPhone is Infected with Pegasus Spyware.
Concerned about recent revelations of widespread political espionage? On the list: Journalists, activists, prime ministers, presidents and a king identified over 1,000 people in 50 countries who were allegedly under surveillance using the Pegasus spyware.
The Israeli firm issued a denial on Sunday July 25, 2021 – "We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts."
Pegasus
Pegasus is a spyware developed by the Israeli infosec firm NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. The 2021 Project Pegasus revelations suggest that current Pegasus software is able to exploit all recent iOS versions up to iOS 14.6. According to the Washington Post and other prominent media sources, Pegasus is very, very dangerous — It allows you to take full control of the smartphone, secretly read correspondence, wiretap phone conversations, view photos and videos but it also enables phone call and location tracking, thus turning our phone into a constant surveillance device. To add fuel to the fire, popular antiviruses cannot detect Pegasus since this malware exploits zero-day vulnerabilities that are unknown to the developers of operating systems and antivirus applications.
Pegasus is just very dangerous!
How Pegasus infiltrates a phone and what it can do.
What is MVT?
Meanwhile, Amnesty International researchers have created a tool that allows you to determine whether your phone is being targeted by spyware. The Mobile Verification Toolkit (MVT) is a tool designed to assist you in determining whether the Pegasus spyware has targeted your phone, and its source code is available for free on GitHub. It works with both Android and iOS devices, though the researchers noted that iPhone handsets are easier to find signs of compromise than Android devices due to more forensic traces available on Apple hardware.
In its current stage, MVT requires some command-line knowledge. It may, however, receive a graphical user interface (GUI) over time.
Once a backup is created, MVT uses known “indicators of compromise” such as domain names and binaries which can provide evidence of infection. The tool is continuously evolving, and some of its key features include:
- Decrypt encrypted iOS backups.
- Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
- Extract installed applications from Android devices.
- Extract diagnostic information from Android devices through the ADB protocol.
- Compare extracted records to a provided list of malicious indicators in STIX2 format.
- Generate JSON logs of extracted records, and separate JSON logs of all detected malicious traces.
- Generate a unified chronological timeline of extracted records, along with a timeline of all detected malicious traces.
Installation of MVT on Mac (Only)
Dependencies on Mac
Before proceeding, please note that MVT requires Python 3.6+, Xcode and homebrew to be installed.
$ brew install python3
Installing MVT
If you haven't done so, you can add this to your .bashrc
or .zshrc
(depending on which shell we are using BASH or ZSH) to add locally installed Pypi binaries to your $PATH
:
$ nano .zshrc
add the following line at the end of the code.
$ export PATH=$PATH:~/.local/bin
Then you can install MVT
$ pip install mvt
Or from the source code:
$ git clone https://github.com/mvt-project/mvt.git
$ cd mvt
$ pip3 install
You now should have the mvt-ios
and utilities installed.
You can verify by running:
$ mvt-ios --help
OUTPUT
Usage: mvt-ios [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
check-backup Extract artifacts from an iTunes backup
check-fs Extract artifacts from a full filesystem dump
check-iocs Compare stored JSON results to provided indicators
decrypt-backup Decrypt an encrypted iTunes backup
iOS Forensic Methodology
To analyze an iOS device, we must first collect metadata from the filesystem, which can then be analyzed with MVT.
There are currently two Forensic Methodologies available: "Filesystem Dump" and "iTunes Backup." Both of these methods require different levels of technical know-how, but the developers indicate jailbreaking might be required if you are using the filesystem dump method, while the iTunes backup, though more limited in scope, can still provide some details on a compromise in your device.
Here, we will focus on the iTunes Backup.
Install libimobiledevice
These utilities will come in handy when it comes to extracting crash logs and creating iTunes backups. Because the utilities and their libraries are subject to frequent changes in response to new iOS versions, you may want to consider compiling libimobiledevice utilities from sources. Otherwise, if available, you can try installing the following packages from your distribution:
On Mac, you can try installing it from brew:
$ brew install --HEAD libimobiledevice
If you have a recent version of libimobiledevice in your package manager, it might work right away. Connect your iOS device via USB to your computer and run:
It will ask to unlock the phone and enter the PIN code.
If it complains that no device is connected and the mobile device is indeed plugged in through the USB cable, you might need to do this first.
$ sudo usbmuxd -f -d
idevicepair pair
Backup with iTunes app
To do that:
- Make sure iTunes is installed.
- Connect your iPhone to your computer using a Lightning/USB cable.
- Open the device in iTunes (or Finder on macOS).
- If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
- Start the backup and wait for it to finish (this may take up to 30 minutes).
- Once the backup is done, find its location and copy it to a place where it can be analyzed by
mvt
.
On Windows, the backup can be stored either in%USERPROFILE%\Apple\MobileSync\
or%USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\
.
On Mac OS, the backup is stored in~/Library/Application Support/MobileSync/
.
Decrypting and Extract a backup
In case you have an encrypted backup, you will need to decrypt it first.
This can be done with mvt-ios
as well:
$ mvt-ios decrypt-backup --help
Usage: mvt-ios decrypt-backup [OPTIONS] BACKUP_PATH
Decrypt an encrypted iTunes backup
Options:
-d, --destination TEXT Path to the folder where to store the decrypted
backup [required]
-p, --password TEXT Password to use to decrypt the backup NOTE: This
argument is mutually exclusive with arguments:
[key_file].
-k, --key-file PATH File containing raw encryption key to use to decrypt
the backup NOTE: This argument is mutually exclusive
with arguments: [password].
--help Show this message and exit.
You can specify either a password via command-line or pass a key file, and you need to specify a destination path where the decrypted backup will be stored. Following is an example usage of decrypt-backup
:
$ mvt-ios decrypt-backup -p password -d /path/to/decrypted /path/to/backup
This command will create a few JSON files containing the results from the extraction. If you do not specify a --output option, mvt-ios will just process the data without storing results on disk.
Run mvt-ios
on a Backup
Once you have a decrypted backup available you can use the check-backup
subcommand:
$ mvt-ios check-backup --help
Usage: mvt-ios check-backup [OPTIONS] BACKUP_PATH
Extract artifacts from an iTunes backup
Options:
-i, --iocs PATH Path to indicators file
-o, --output PATH Specify a path to a folder where you want to store JSON
results
-f, --fast Avoid running time/resource consuming features
-l, --list-modules Print list of available modules and exit
-m, --module TEXT Name of a single module you would like to run instead of
all
--help Show this message and exit.
Following is a basic usage of check-backup
:
$ mvt-ios check-backup --output /path/to/output/ /path/to/backup/udid/
This command will create a few JSON files containing the results from the extraction. If you do not specify an --output
option, mvt-ios
will just process the data without storing results on disk.
Check for potential Signs of Compromise
Use the check-iocs
subcommand to compare stored JSON results to provided indicators.
$ mvt-ios check-iocs --help 2 ↵
Usage: mvt-ios check-iocs [OPTIONS] FOLDER
Compare stored JSON results to provided indicators
Options:
-i, --iocs PATH Path to indicators file [required]
-l, --list-modules Print list of available modules and exit
-m, --module TEXT Name of a single module you would like to run instead of
all
--help Show this message and exit.
Amnesty International has released a Technical Methodology report which outlines how to use these indicators to hunt for Pegasus and other mobile spyware products. MVT can be used with the pegasus.stix2 indicators to check devices for potential signs of compromise with Pegasus spyware.
In case of a compromise, MVT will highlight any suspicious activity.
How to Remove Pegasus Spyware from your iPhone
In that case, we suggest the following methods.
- If your iPhone is not rooted, then we can easily remove it by doing a factory reset or hard reset to remove Pegasus. Keep the backup aside. Backing them up again on the mobile is not recommended, because we don't know which loophole is used by Pegasus (It can be media files or something stored).
- If we are on a Jailbroken iPhone then we already violated Apple's policy, they will not be going to help us. Because iOS is not open-source and uses different kernels it doesn't have any practical custom ROM. In this case, we can suggest a full reset of the device and check again. If Pegasus is still present you would need to get yourself a new phone.
This is how we can use MVT to detect and remove Pegasus Spyware from your mobile phone device. Pegasus has been called the most sophisticated hacking software available today to intrude phones. NSO Group has stated that it accepts no responsibility for misuse of the Pegasus software and that it only sells the tool to vetted governments rather than individuals or other entities.
The maker of powerful spy software allegedly used to hack the phones of innocent people says blaming the company is like "criticising a car manufacturer when a drunk driver crashes".
We hope you have enjoyed this tutorial and have had a good learning experience.