Detecting Pegasus

This guide is intended for journalists and folks who have reason to believe they’ve been targeted with spyware. If you think your iPhone is compromised, you need to take a snapshot of its contents as soon as possible.

Install MVT

Make sure you have docker and git installed on your system

git clone https://github.com/mvt-project/mvt.git && cd mvt
docker build -t mvt .

Start the container

Plug in your iPhone and start the container

sudo systemctl stop usbmuxd.service
mkdir -p iphone
docker run -it --privileged -v /dev/bus/usb:/dev/bus/usb -v $(pwd)/iphone:/home/cases/iphone mvt

Pair Your Device

Your device will prompt you for your passcode and ask if you trust your computer. Tap yes.

usbmuxd
idevidepair pair

After pairing you should see the following output:

SUCCESS: Paired with device <DEVICE>

Run ideviceinfo to make sure your device is recognized

Create an encryption key

We’ll need to enable encryption to dump a complete backup. Run the command below and confirm your encryption key. Save this somewhere safe. You’ll need it to decrypt your backup later on.

idevicebackup2 -i encryption on

After confirming from your device, you should see the following output:

Backup encryption has been enabled successfully.

Create an encrypted backup

mkdir -p iphone/backup
idevicebackup2 backup --full iphone/backup

After creating a full backup, you should see something like the following:

Received x files from device.
Backup Successful.

Run ls -al iphone/backup/* to confirm the encrypted backup exists.

Scanning for Indicators of Compromise

The forensics team over at Amnesty International maintains a list of IOCs from their technical investigations. We’ll check our artifacts against these for any matches.

Download the latest IOCs from Amnesty International

mvt-ios download-iocs

Decrypt the backup

This will prompt you for the encryption key you created earlier.

mkdir -p iphone/decrypted
mvt-ios decrypt-backup -d iphone/decrypted iphone/backup

Run ls -al iphone/decrypted/* to confirm the backup was decrypted successfully.

Scan the backup

The scan will check your communication patterns (call logs, text messages, WhatsApp) and browser history against those previously extracted from known compromised devices.

mkdir -p iphone/scan
mvt-ios check-backup -o iphone/scan iphone/decrypted

This will populate the scan directory with a number of json files for you to analyze.

Run ls -al iphone/scan | grep detected to check for any matches.

Remove the decrypted backup

This will take some time. Wait for it to finish.

find iphone/decrypted -type f -exec shred -u --random-source=/dev/urandom {} \;
rm -rf iphone/decrypted && exit

Analysis

If you detect a match, you should assume that your device is compromised and act accordingly. Note however that malware moves fast and more recent variants are built to evade known indicators. In any case, keep your encrypted backup somewhere safe and reach out to a forensics specialist for help. A full file system dump will be much more informative.