Amnesty International – part of the group that helped bring the news about journalists and heads of state targeted by NSO’s government spy software, Pegasus – has released a tool to check if your phone has been affected. Next to the tool, there is a large set of instructions, which will help you through the somewhat technical control process. Using the tool involves backing up your phone to your own computer and running a check on that backup. Read on if you’ve seen your page on the page since the news came, and are looking for guidance on how to use Amnesty’s tools.
The first thing you need to notice is that the tool is command line or terminal based, so it will take some technical skill or some patience to run. We try to cover a lot of what you need to know to get started here, but there is something to know before you jump in.
The second note is that the analysis Amnesty is running seems to work best for iOS devices. In the documentation, Amnesty says that the analysis tool can run on backups of Android phones is limited, but the tool can still check for potentially malicious SMS messages and APKs. Again, we recommend following the instructions.
To check iPhone, the easiest way to get started is to create an encrypted backup using either iTunes or Finder on a Mac or PC. You will then need to find the backup, for which Apple provides instructions. Linux users can follow Amnesty̵
After obtaining a backup copy of your phone, you will need to download and install Amnesty’s mvt software, for which Amnesty also provides instructions.
If you use a Mac to run the check, you must first install both Xcode, which can be downloaded from the App Store, and Python3 before you can install and run mvt. The easiest way to get Python3 is to use a program called Homebrew, which can be installed and run from the terminal. After installing these, you are ready to go through Amnesty’s iOS instructions.
If you are having trouble trying to decrypt your backup, you are not alone. The tool gave me an error when I tried to point it to my backup, which was in the default folder. To resolve this, I copied the backup folder from the default location to a folder on my desktop and pointed it out. My command ended up looking like this:
(For illustrative purposes only. Use commands from Amnesty Instructions, as the program may be up to date.)
mvt-ios decrypt-backup -p PASSWORD -d decrypt ~ / Desktop / bkp / orig
When you run the scan itself, you will point to a compromise file indicator, which Amnesty provides in the form of a file called pegasus.stix2. Those who are brand new to using the terminal may stumble upon how they can actually point to a file, but it is relatively easy as long as you know where the file is. For beginners, I recommend that you download the stix2 file to the download folder for your Mac. Then, when you get to the step where you are actually running the check-back command, add
-i ~ / Downloads / pegasus.stix2
into the options section. As a reference, my command ended like this. (Again, this is for illustration purposes only. Trying to copy and run these commands will result in an error):
mvt-ios check-backup -o logger –iocs ~ / Downloads / pegasus.stix2 ~ / Desktop / bkp / decrypt
(For reference, ~ / acts more or less as a shortcut to your user directory, so you do not need to add anything like / Users / mitchell.)
Again, I would recommend following the Amnesty instructions and using the commands, as it is always possible that the tool will have been updated. Security researcher @RayRedacted on Twitter also has a great thread that goes through some of the issues you may encounter while running the tool and how to deal with them.
As a final note, Amnesty only provides instructions on how to install the tool on macOS and Linux systems. For those who want to run it on Windows, The Verge has confirmed that the tool can be used by installing and using the Windows Subsystem for Linux (WSL) and following Amnesty’s Linux instructions. Using WSL requires downloading and installing a Linux distro, such as Ubuntu, which will take some time. However, this can be done while you wait for the phone to back up.
After driving mvt, you will see a list of warnings that either show suspicious files or behaviors. It is worth noting that a warning does not necessarily mean that you are infected. For me, there were some redirects that were completely overboard in the section where it checked my Safari history (sheets.google.com redirects to docs.google.com, reut.rs redirects to reuters.com, etc.). Similarly, I got some errors, but only because the program checked for apps that I have not installed on my phone.
The story of Pegasus has probably left many of us on our phones with a little more suspicion than usual, whether or not we are likely to be targeted by a nation state. While running the tool (hopefully) can help ease the fear, it is probably not a necessary precaution for many Americans. NSO Group has said that the software can not be used on phones with US numbers, according to The Washington Post, and the investigation found no evidence that American phones were successfully broken by Pegasus.
While it’s nice to see that Amnesty made this tool available with solid documentation, it only helps solve the privacy issues surrounding Pegasus. As we have recently seen, it does not take a government that targets the phone’s microphone and camera for private information – the data broker industry can sell your location log even if your phone is Pegasus free.