Mobile Verification Toolkit vs Pegasus
Mobile Verification Toolkit (MVT) is a collection of utilities to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices.
Pegasus, NSO Group’s espionage malware, has been making headlines since a major investigation by journalists from around the world and Amnesty International proved that it was still active and used for political purposes:
Its latest versions can be installed without user intervention, which makes it all the more dangerous. Just receive a message containing a link for an iPhone running iOS 14.7 to be infected with the malware, as security researchers have managed to prove. Even if Pegasus is used mainly against specific profiles and not as a mass surveillance tool — this is one of the advanced points in Apple’s line of defense — you may have been infected without knowing it.
Amnesty International has created a tool to search for traces of the Pegasus spy software on its smartphone. You probably don’t need it, but a check doesn’t hurt.
Ensuring that you have never been affected by this malware is practically impossible, at least very difficult, because Pegasus can disappear after a restart and despite everything having done its job by recovering data. The security researchers who worked on Pegasus have nevertheless created a tool that can detect its known traces and alert if it is still in place. This tool called “Mobile Verification Toolkit”, or MVT, is distributed on GitHub and you can use it on your device.
MVT can work in two ways: the most complete requires full access to the file system, which implies a jailbreak for iPhones. The simplest is to back up the smartphone, even if it may be missing information, including device caches that will not be present and that may contain valuable clues. It should also be noted that the tool manages Android like iOS, but the analysis is more complex and less exhaustive with Google’s system.
To test on your iPhone, the easiest way is to make an encrypted local backup of your iPhone. This is done in the macOS Finder or in iTunes on Windows. Encrypting the backup is important to get the maximum amount of data, MVT will be able to decrypt it before its analysis using the password entered during its creation.
This procedure is long and requires a lot of storage space on the computer, especially if you scan a well-filled iOS device. Just the local backup will take several tens of minutes and decryption will require just as much, if not more. Another caveat, MVT is a Python-encoded tool, to be used from the command line in a terminal. Installation with the necessary dependencies on a Mac are detailed at this address.
Analysis of the backup files allows you to check if Pegasus has left a trace somewhere. Since the work is done on a backup, there are missing important resources, including caches, but that may be enough. If the malware is detected, the terminal will display a message during the scan and the tool will generate a specific file to learn more.
MVT is an interesting tool for research purposes, not really a turnkey app for the general public. Detecting Pegasus is not obvious, especially after the fact. And then it’s a malware that is constantly evolving, so that the analysis will quickly be outdated. As with Apple and Google, which spend their time filling security gaps, it’s a chat and mouse game and NSO Group is probably a few steps ahead.