The Israeli firm issued a denial on Sunday July 25, 2021 – "We would like to emphasize that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts."

Pegasus

Pegasus is a spyware developed by the Israeli infosec firm NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. The 2021 Project Pegasus revelations suggest that current Pegasus software is able to exploit all recent iOS versions up to iOS 14.6. According to the Washington Post and other prominent media sources, Pegasus is very, very dangerous — It allows you to take full control of the smartphone, secretly read correspondence, wiretap phone conversations, view photos and videos but it also enables phone call and location tracking, thus turning our phone into a constant surveillance device. To add fuel to the fire, popular antiviruses cannot detect Pegasus since this malware exploits zero-day vulnerabilities that are unknown to the developers of operating systems and antivirus applications.
Pegasus is just very dangerous!

How Pegasus infiltrates a phone and what it can do.

What is MVT?

Meanwhile, Amnesty International researchers have created a tool that allows you to determine whether your phone is being targeted by spyware. The Mobile Verification Toolkit (MVT) is a tool designed to assist you in determining whether the Pegasus spyware has targeted your phone, and its source code is available for free on GitHub. It works with both Android and iOS devices, though the researchers noted that iPhone handsets are easier to find signs of compromise than Android devices due to more forensic traces available on Apple hardware.
In its current stage, MVT requires some command-line knowledge. It may, however, receive a graphical user interface (GUI) over time.

Once a backup is created, MVT uses known “indicators of compromise” such as domain names and binaries which can provide evidence of infection. The tool is continuously evolving, and some of its key features include:

• Decrypt encrypted iOS backups.
• Process and parse records from numerous iOS system and apps databases, logs, and system analytics.
• Extract installed applications from Android devices.
• Extract diagnostic information from Android devices through the adb protocol.
• Compare extracted records to a provided list of malicious indicators in STIX2 format.
• Generate JSON logs of extracted records, and separate JSON logs of all detected malicious traces.
• Generate a unified chronological timeline of extracted records, along with a timeline all detected malicious traces.

Installation of MVT on Mac (Only)

Dependencies on Mac

Before proceeding, please note that MVT requires Python 3.6+, Xcode and homebrew to be installed.

$ brew install python3 

Installing MVT

If you haven't done so, you can add this to your .bashrc or .zshrc (depending on which shell we are using BASH or ZSH) in order to add locally installed Pypi binaries to your $PATH:

$ nano .zshrc

add the following line at the end of the code.

$ export PATH=$PATH:~/.local/bin

Then you can install MVT

$ pip install mvt

Or from the source code:

$ git clone https://github.com/mvt-project/mvt.git
$ cd mvt
$ pip3 install

You now should have the mvt-ios and utilities installed.
You can verify by running:

$ mvt-ios --help  

OUTPUT

Usage: mvt-ios [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  check-backup    Extract artifacts from an iTunes backup
  check-fs        Extract artifacts from a full filesystem dump
  check-iocs      Compare stored JSON results to provided indicators
  decrypt-backup  Decrypt an encrypted iTunes backup

iOS Forensic Methodology

To analyze an iOS device, we must first collect metadata from the filesystem, which can then be analyzed with MVT.
There are currently two Forensic Methodologies available: "Filesystem Dump" and "iTunes Backup." Both of these methods require different levels of technical know-how, but the developers indicate jailbreaking might be required if you are using the filesystem dump method, while the iTunes backup, though more limited in scope, can still provide some details on a compromise in your device.
Here, we will focus on the iTunes Backup.

Install libimobiledevice

These utilities will come in handy when it comes to extracting crash logs and creating iTunes backups. Because the utilities and their libraries are subject to frequent changes in response to new iOS versions, you may want to consider compiling libimobiledevice utilities from sources. Otherwise, if available, you can try installing the following packages from your distribution:

On Mac, you can try installing it from brew:

$ brew install --HEAD libimobiledevice

If you have a recent version of libimobiledevice in your package manager, it might work right away. Connect your iOS device via USB to your computer and run:
It will ask to unlock the phone and enter the PIN code.

$ ideviceinfo

OUTPUT

ActivationState: Activated
ActivationStateAcknowledged: true
BasebandActivationTicketVersion: V2
BasebandCertId: Xxxxxx
BasebandChipID: 101
BasebandKeyHashInformation: 
 AKeyStatus: 0
 SKeyHash: u+/tXxXXxxxxxxxxxxxxxxxxxxxX=
 SKeyStatus: 0
BasebandMasterKeyHash: TYRTW34567t8y7gy
BasebandRegionSKU: 
BasebandSerialNumber: RT3456789889
BasebandStatus: BBInfoAvailable
BasebandVersion: 4.04.00
BluetoothAddress: X0:35:z0:rr:22:f3
BoardId: 10
BrickState: false
BuildVersion: 12Y45
CPUArchitecture: arm64

If it complains that no device is connected and the mobile device is indeed plugged in through the USB cable, you might need to do this first.

$ sudo usbmuxd -f -d
idevicepair pair

Backup with iTunes app

To do that:

• Make sure iTunes is installed.
• Connect your iPhone to your computer using a Lightning/USB cable.
• Open the device in iTunes (or Finder on macOS).
• If you want to have a more accurate detection, ensure that the encrypted backup option is activated and choose a secure password for the backup.
• Start the backup and wait for it to finish (this may take up to 30 minutes).
• Once the backup is done, find its location and copy it to a place where it can be analyzed by mvt.
  On Windows, the backup can be stored either in %USERPROFILE%\Apple\MobileSync\ or %USERPROFILE%\AppData\Roaming\Apple Computer\MobileSync\.
  On Mac OS, the backup is stored in ~/Library/Application Support/MobileSync/.
  

Decrypting and Extract a backup

In case you have an encrypted backup, you will need to decrypt it first.
This can be done with mvt-ios as well:

$ mvt-ios decrypt-backup --help


Usage: mvt-ios decrypt-backup [OPTIONS] BACKUP_PATH

  Decrypt an encrypted iTunes backup

Options:
  -d, --destination TEXT  Path to the folder where to store the decrypted
                          backup  [required]

  -p, --password TEXT     Password to use to decrypt the backup NOTE: This
                          argument is mutually exclusive with arguments:
                          [key_file].

  -k, --key-file PATH     File containing raw encryption key to use to decrypt
                          the backup NOTE: This argument is mutually exclusive
                          with arguments: [password].

  --help                  Show this message and exit.

You can specify either a password via command-line or pass a key file, and you need to specify a destination path where the decrypted backup will be stored. Following is an example usage of decrypt-backup:

$ mvt-ios decrypt-backup -p password -d /path/to/decrypted /path/to/backup

This command will create a few JSON files containing the results from the extraction. If you do not specify a --output option, mvt-ios will just process the data without storing results on disk.

Run mvt-ios on a Backup

Once you have a decrypted backup available you can use the check-backup subcommand:

$ mvt-ios check-backup --help


Usage: mvt-ios check-backup [OPTIONS] BACKUP_PATH

  Extract artifacts from an iTunes backup

Options:
  -i, --iocs PATH     Path to indicators file
  -o, --output PATH   Specify a path to a folder where you want to store JSON
                      results

  -f, --fast          Avoid running time/resource consuming features
  -l, --list-modules  Print list of available modules and exit
  -m, --module TEXT   Name of a single module you would like to run instead of
                      all

  --help              Show this message and exit.

Following is a basic usage of check-backup:

$ mvt-ios check-backup --output /path/to/output/ /path/to/backup/udid/

This command will create a few JSON files containing the results from the extraction. If you do not specify a --output option, mvt-ios will just process the data without storing results on disk.

Check for potential Signs of Compromise

Use the check-iocs subcommand to compare stored JSON results to provided indicators.

$ mvt-ios check-iocs --help                                                                                                    2 ↵
Usage: mvt-ios check-iocs [OPTIONS] FOLDER

  Compare stored JSON results to provided indicators

Options:
  -i, --iocs PATH     Path to indicators file  [required]
  -l, --list-modules  Print list of available modules and exit
  -m, --module TEXT   Name of a single module you would like to run instead of
                      all
  --help              Show this message and exit.

Amnesty International has released a Technical Methodology report which outlines how to use these indicators to hunt for Pegasus and other mobile spyware products. MVT can be used with the pegasus.stix2 indicators to check devices for potential signs of compromise with Pegasus spyware.
In case of a compromise, MVT will highlight any suspicious activity.

How to Remove Pegasus Spyware from your iPhone

In that case, we suggest the following methods.

• If your iPhone is not rooted, then we can easily remove it by doing a factory reset or hard reset to remove Pegasus. Keep the backup aside. Backing them up again on the mobile is not recommended, because we don't know which loophole is used by Pegasus (It can be media files or something stored).
• If we are on a Jailbroken iPhone then we already violated Apple's policy, they will not be going to help us. Because iOS is not open-source and uses different kernels it doesn't have any practical custom ROM. In this case, we can suggest a full reset of the device and check again. If Pegasus is still present you would need to get yourself a new phone.

This is how we can use MVT to detect and remove Pegasus Spyware from your mobile phone device. Pegasus has been called the most sophisticated hacking software available today to intrude phones. NSO Group has stated that it accepts no responsibility for misuse of the Pegasus software and that it only sells the tool to vetted governments rather than individuals or other entities.

The maker of powerful spy software allegedly used to hack the phones of innocent people says blaming the company is like "criticising a car manufacturer when a drunk driver crashes".

We hope you have enjoyed this tutorial and have had a good learning experience.