Amnesty International — part of the group that helped break the news of journalists and heads of state being targeted by NSO’s government-grade spyware, Pegasus — has released a tool to check if your phone has been affected. Alongside the tool is a great set of instructions, which should help you through the somewhat technical checking process. A backup of your phone to a separate computer and a check of that backup are required in order to make use of this tool. Continuing reading if you’ve been staring at your phone since the news broke and are looking for instructions on how to use Amnesty’s tool will help you.
The first thing to keep in mind is that the tool is command line or terminal based, which means that it will require either some level of technical expertise or a certain amount of patience to run. We make every effort to cover everything you need to know to get up and running here, but there is one thing you should be aware of before diving in.
It will necessitate a certain level of technical expertise or a certain amount of patience.
The second point to mention is that the analysis that Amnesty International is conducting appears to work best on iOS devices. In its documentation, Amnesty says the analysis its tool can run on Android phone backups is limited, but the tool can still check for potentially malicious SMS messages and APKs. Again, we recommend following its instructions.
To check your iPhone, the easiest way to start is by making an encrypted backup either using iTunes or Finder on a Mac or PC. You’ll then need to locate that backup, which Apple provides instructions for. Linux users can create a backup of their mobile device by following the instructions provided by Amnesty International on how to use the libimobiledevice command line tool.
After getting a backup of your phone, you’ll then need to download and install Amnesty’s mvt program, which Amnesty also provides instructions for.
On a Mac, you’ll first need to instal Xcode, which can be obtained from the App Store, and Python3 before you can instal and run mvt. You can learn more about installing and running Python3 here. The easiest way to obtain Python3 is using a program called Homebrew, which can be installed and run from the Terminal. After installing these, you’ll be ready to run through Amnesty’s iOS instructions.
You are not alone if you are experiencing difficulties while attempting to decrypt your backup. When I attempted to point the tool to my backup, which was located in the default folder, I received an error message. In order to resolve this, I copied the backup folder from the default location to a folder on my desktop and pointed mvt to that folder instead. My final command looked something like this:
(For illustration purposes only. Please use commands from Amnesty’s instructions, as it’s possible the program has been updated.)
mvt-ios decrypt-backup -p PASSWORD -d decrypt ~/Desktop/bkp/orig
When running the actual scan, you’ll want to point to an Indicators of Compromise file, which Amnesty provides in the form of a file called pegasus.stix2. It is possible for those who are new to using the terminal to become confused about how to actually point to a file, but as long as you know where the file is, it is relatively simple. The stix2 file should be downloaded to your Mac’s Downloads folder if you’re a complete beginner. Then, when you get to the point where you’re actually running the check-backup command, you can include the following line:
into the section devoted to options For the sake of completeness, I’ll show you what my command ended up looking like. (It should be noted that this is only for illustration purposes.) If you try to copy and run these commands, you will receive an error message.):
mvt-ios check-backup -o logs –iocs ~/Downloads/pegasus.stix2 ~/Desktop/bkp/decrypt
(For reference, the ~/ is more or less acting as a shortcut to your user folder, so you don’t have to add in something like /Users/mitchell.)
Again, I recommend that you follow Amnesty’s instructions and make use of its commands because it is always possible that the tool has been updated since you last used it. Security researcher @RayRedacted on Twitter also has a great thread going through some of the issues you may run into while running the tool and how to deal with them.
As a final note, Amnesty only provides instructions for installing the tool on macOS and Linux systems. For those looking to run it on Windows, The Verge has confirmed the tool can be used by installing and using Windows Subsystem for Linux (WSL) and following Amnesty’s Linux instructions. Using WSL will necessitate the download and installation of a Linux distribution such as Ubuntu, both of which will take time. It is possible to complete it while you are waiting for your phone to backup.
A list of warnings will appear after running mvt, with each one listing either suspicious files or unusual behaviour. It’s important to note that receiving a warning does not necessarily imply that you’ve been infected. Some redirects that were completely legal appeared in the section where it checked my Safari history, which was a bit of a surprise to me (sheets.google.com redirecting to docs.google.com, reut.rs redirecting to reuters.com, etc). The same was true for me; I received a few errors, but only because the programme was looking for apps that I did not have installed on my phone.
According to recent reports, many people are viewing their smartphones with a higher level of suspicion than they would otherwise have, regardless of whether or not we are likely to be targeted by a nation-state. While using the tool may (hopefully) help to alleviate some concerns, it is unlikely to be a necessary precaution for the majority of Americans. NSO Group has said its software cannot be used on phones with US numbers, according to The Washington Post, and the investigation didn’t find any evidence that US phones had been successfully breached by Pegasus.
While it is encouraging to see Amnesty making this tool available with thorough documentation, it is only of limited assistance in addressing the privacy concerns surrounding Pegasus. As we’ve seen recently, it doesn’t take a government targeting your phone’s microphone and camera to get private information — the data broker industry could be selling your location history even if your phone is Pegasus-free.