Amnesty International has released a tool to help determine if an iPhone has been compromised by NSO Pegasus spy software. Here are the steps to get there.
More than 50,000 people are on the mysterious list used by security researchers at Amnesty International Security Lab (AISL) to reveal the extent of the surveillance of NSO’s Pegasus software. Are you one of them? Is your phone infected with this spyware?
AISL experts have developed the “Mobile Verification Toolkit” (MVT). It allows you to find out, both for Android devices and iOS devices. In this article, we will only cover the procedure for iPhone. Here are the steps to get there on a Windows 10 computer. Be careful, it’s a bit technical, but if you follow our step by step, you should be fine.
Creation of the analysis environment
1) Your best bet is to run MVT in Docker Desktop, free software that lets you launch applications in software containers. To download and install Docker Desktop, go to the site docker.com, select the version that suits your computer and let it guide you. Then launch Docker Desktop.
2) Install “Git for Windows”, the software for managing versions of computer code.
3) Open the “Git CMD” interface and run the following command lines:
- git clone https://github.com/mvt-project/mvt.git
- cd mvt
- docker build -t mvt.
The MVT container has been created and it should now be visible in Docker Desktop.
4) Go to the Windows Store and install the Ubuntu distribution.
Then, in Docker Desktop, go to the “Settings → Resources → WSL Integration” menu and check the Ubuntu box.
5) Create an “mvt-scan” folder on a volume that has sufficient storage space. In our case, we took a 128 GB USB stick, which mounted on drive E. Open a PowerShell command window and run the following commands:
- CD [chemin de votre dossier mvt-scan]
- mkdir iocs
- mkdir results
- cd iocs
- wget https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2 -O pegasus.stix2
You have just created the “iocs” and “results” files, and downloaded the indications of compromise identified by the AISL researchers.
Analysis of an iPhone or iPad
1) Make an unencrypted backup of your device using iTunes software and copy the directory of this backup to your “mvt-scan” folder. This directory should be in C: Users [votre nom d’utilisateur] Apple MobileSync Backup. Its name is characterized by a series of numbers and letters. This operation may take some time.
2) Open a PowerShell window and type the command:
- wsl -d Ubuntu
If your mvt-scan folder is on an external storage medium, it will first need to be “mounted” in Ubuntu so that its contents can appear in the file system. In our case, this gives:
- sudo mkdir / mnt / e
- sudo mount -t drvfs e: / mnt / e
3) Then you have to launch the MVT analysis in the Docker environment. To do this, type the following commands:
- docker run -v [chemin du repertoire mvt-scan]: / home / cases / mvt-scan -it mvt
- mvt-ios check-backup –iocs ./mvt-scan/iocs/pegasus.stix2 –output ./mvt-scan/results/ ./mvt-scan/[nom du répertoire de sauvegarde iOS]
If the “mvt-scan” directory is on the local disk, all you have to do is indicate the Windows path, but replacing the backslashes with slashes. For example: “~ Desktop / mvt-scan”. If it is on an external disk, it will be necessary to use the access created above, in this case “/ mnt / e / mvt-scan”.
4) The results of the analysis are stored in the “results” folder as JSON files. If you find a file there whose name includes the word “detected”, then you have been infected with Pegasus. It is recommended that you then contact Amnesty International.
