Amnesty International, a member of the group that helped break the news to journalists and Heads of State being the target of NSO’s government-grade spyware, Pegasus – a took out a tool to check if your phone has been affected. Next to the tool is a large set of instructions, which should help you through the somewhat technical verification process. Using the tool involves backing up your phone to a separate computer and verifying that backup. Read on if you’ve been looking sideways at your phone since the news broke and looking for tips on using Amnesty’s tool.
The first thing to note is that the tool is either command line or terminal based, so it will take either some technical skill or some patience to run it. We’re trying to cover a lot of what you need to know to be up and running here, but it’s something to know before you get started.
The second note is that the scan performed by Amnesty seems to work best for iOS devices. In its documentation, Amnesty states that the scan its tool can perform on Android phone backups is limited, but the tool can still search potentially malicious SMS and APK. Again, we recommend following his instructions.
To check your iPhone, the easiest way to start is to do an encrypted backup Is using iTunes or Finder on a Mac or PC. You will then need to locate this backup, which Apple provides instructions for. Linux users can follow Amnesty’s instructions on how to use the libimobiledevice command line tool to create a backup.
After getting a backup of your phone, you will then need to download and install Amnesty’s mvt program, which Amnesty also provides instructions for.
If you are using a Mac to run the check, you must first install both Xcode, which can be downloaded from the App Store, and Python3 before you can install and run mvt. The easiest way to get Python3 is to use a program called Homebrew, which can be installed and run from the terminal. After installing them you will be ready to browse Amnesty iOS Instructions.
If you’re having trouble trying to decrypt your backup, you’re not alone. The tool was giving me errors when I tried to point it to my backup, which was in the default folder. To resolve this issue, I copied the backup folder from this default location to a folder on my desktop and pointed mvt to it. My order ended up looking like this:
(For illustration purposes only. Please use commands from Amnesty’s instructions, as the program may have been updated.)
mvt-ios decrypt-backup -p PASSWORD -d decrypt ~ / Desktop / bkp / orig
When performing the actual scan, you will want to point to an Indicators of Compromise file, which Amnesty provides as a file called pegasus.stix2. Those new to using the terminal may be wondering how to actually point to a file, but it’s relatively easy as long as you know where the file is located. For beginners, I recommend that you download the stix2 file to the Downloads folder on your Mac. Then when you get to the step where you actually run the check-backup command, add
-i ~ / Downloads / pegasus.stix2
in the options section. For reference, my order ended up looking like this. (Again, this is for illustration purposes only. Trying to copy these commands and run them will result in an error):
mvt-ios check-backup -o logs –iocs ~ / Downloads / pegasus.stix2 ~ / Desktop / bkp / decrypt
(For reference, the ~ / acts more or less like a shortcut to your user folder, so you don’t need to add something like / Users / mitchell.)
Again, I would recommend following Amnesty’s instructions and using its commands, as there is always a possibility that the tool has been updated. Security researcher @RayRedacted on Twitter also a great yarn review some of the issues you may encounter while running the tool and how to resolve them.
Finally, Amnesty only provides instructions for installing the tool on macOS and Linux systems. For those looking to run it on Windows, The edge confirmed that the tool can be used by installing and using the Windows Subsystem for Linux (WSL) and following Amnesty’s Linux instructions. Using WSL will require downloading and installing a Linux distribution, like Ubuntu, which will take some time. This can, however, be done while you are waiting for your phone to backup.
After running mvt, you will see a list of warnings listing suspicious files or behavior. It should be noted that a warning does not necessarily mean that you have been infected. For me, some redirects that were totally above the board appeared in the section where it was checking my Safari history (sheets.google.com redirecting to docs.google.com, reut.rs redirecting to reuters.com, etc.) . Likewise, I had a few errors, but only because the program was looking for apps that I did not have installed on my phone.
The story around Pegasus has probably left many of us regarding our phones with a bit more suspicion than usual that we are likely to be targeted by a nation state. While running the tool can (hopefully) help allay some fears, it’s probably not a necessary precaution for many Americans. NSO Group said its software cannot be used on phones with US numbers, according to The Washington Post, and the investigation found no evidence that US phones had been successfully hacked by Pegasus.
While it’s nice to see that Amnesty has made this tool available with solid documentation, it only really helps resolve the privacy issues around Pegasus. As we saw recently, it is not necessary for a government to target your phone’s microphone and camera to gain private information – the data broker industry could sell your location history even if your phone is without Pegasus.