Pegasus

If you’re concerned about recent reports of the Pegasus spyware reportedly installed by the Israeli NSO Group to hack journalists and world leaders, there’s a tool to check if it’s hidden on your iPhone. But you probably have nothing to worry about.

According to a report in the Washington Post in conjunction with nonprofit groups Forbidden Stories and Amnesty International and several others, military-grade spyware developed by an Israeli firm was used to hack some 40 smartphones “belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi.”

It’s extremely unlikely that your phone has been hacked using NSO software, but there is now a way to check your iPhone for Pegasus spyware – or, at least, some tell-tale signs.

The spyware was used to target human rights activists, lawyers, journalists, and politicians, and has been linked to assaults and murder of dissidents, so the chances of a random iPhone user being impacted are exceedingly low …

However, if you are concerned, Amnesty International has released a tool designed to help you check.

The bad news, as TechCrunch explains, is that it’s not an entirely straightforward process.

The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.

The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about 10 minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.

Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files.

You can download the tool from GitHub, and find detailed documentation here.

There has been some misreporting of the spyware, suggesting that iPhones were somehow more vulnerable. The reality is that Amnesty focused its efforts on iPhones because the improved security they offer make it easier to detect when a phone has been compromised. It is possible to check Android phones, but with many more false negatives.

The phones appeared on a list of more than 50,000 phone numbers, according to the Post. NSO has denied the allegations.

There’s a good chance your iPhone isn’t on that list. While the legality of the operation may be in question, reports say the NSO seemingly targeted high-level politicians, government officials, and journalists in the operation and were only successful less than half the time. For example, Amnesty International examined 67 phones and found that “23 were successfully infected and 14 showed signs of attempted penetration.” Of those, nearly all were iPhones, according to the investigation.

But if you’re concerned, there’s a way to test whether your iPhone has been targeted. It’s not an easy test, mind you, but if you’re using a Mac or Linux PC and have backed up your iPhone using it, Amnesty International’s the Mobile Verification Toolkit will be able to detect whether your phone has the Pegasus spyware installed on it. The tool, which TechCrunch tested, works using the macOS Terminal app and searches your latest iPhone backup on your Mac, “is not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal.” You’ll need to install libusb as well as Python 3 using Homebrew. (You can learn more about the installation here.) TechCrunch says the check only takes “about a minute or two to run” once it’s been set up.