JOIN USHow to check if your phone was targeted by Pegasus
Israel-made spyware Pegasus has been in the news after reports emerged that it allegedly surveilled over 40 journalists and activists last week.
The spyware and the firm that provides it, NSO Group, were allegedly linked to 50,000 smartphone numbers, including activists, journalists and politicians around the world.
The NSO Group denied allegations of mass surveillance saying it does not have any visibility on its customers' data.
While the political slugfest this has set off unravels, there is a fear that the spyware may have been used to track citizens' movements as well. While the NSO Group claims the spyware leaves no trace on a compromised device, Amnesty International believes otherwise and has issued a toolkit that can be used to check if your device has been used for snooping.
The toolkit called Mobile Verification Toolkit (MVT) is a collection of utilities designed to facilitate the consensual forensic acquisition of iOS and Android devices for the purpose of identifying any signs of compromise.
According to the developers, the MVT can decrypt encrypted iOS backups, process and parse records from numerous iOS system and apps databases, logs and system analytics, extract installed applications from Android devices, extract diagnostic information from Android devices through the abd protocol, compare extracted records to a provided list of malicious indicators in STIX2 format, generate logs of extracted records, separate logs of all detected malicious traces, and enerate a unified chronological timeline of extracted records, along with a timeline all detected malicious traces.
While the toolkit is capable of extracting and processing various types of very personal records typically found on a mobile phone (such as calls history, SMS and WhatsApp messages, etc.), this is intended to help identify potential attack vectors such as malicious SMS messages leading to exploitation, the developers have said.
Using the toolkit requires a fair bit of technical know-how and possible jailbreaking of iOS devices. The toolkit uses either Linux or MacOS dependencies for installation, with the presence of Python 3.6 or above required beforehand. You can either follow the documentation's command line prompt on the operating systems or use the GitHub repository for the installation of the program.
On iOS, the toolkit provides two courses of action for analysing and detecting a compromise: Filesystem dump and iTunes backup. Both of these methods require different levels of technical know-how, but the developers indicate jailbreaking might be required if you are using the filesystem dump method, while the iTunes backup, though more limited in scope, can still provide some details on a compromise in your device.
On iOS, the developers recommend installing libimobiledevice utilities to help extract crash logs and generate iTunes backups. After installing that (or via iTunes), create a backup, connect your Apple device to a computer, and check the backup file with a command called mvt-ios.
In case you are planning on using the filesystem dump, the developers suggest jailbreaking the device. While we don't recommend jailbreaking as it can void your warranty, you can find out how to do that in the documentation if you are interested.
Checking whether an Android device is compromised by Pegasus requires use of the mtv-android command, which requires connecting the device to a computer with USB debugging enabled.
After connecting the device, you have two options: Using APKs (the installer format used on Android apps) or an Android Backup. The tool allows users to extract the APKs and/or the backup, which can be used to check if a malicious attack was conducted against your device.