Checking for Mobile Spyware

Feb 22, 2022 |


Lately, the news has been littered with articles about the NSO Group and their tool Pegasus, which infects mobile phones with spyware. The issue at hand is the way Pegasus is able to infect a targeted user’s phone without any interaction from the user. A couple of articles can be found here:

Finnish diplomats' devices hacked with Pegasus spyware

Rona Wilson's phone infected with Pegasus, new forensic analysis shows | The News Minute

Pegasus vs. Predator: Dissident's Doubly-Infected iPhone Reveals Cytrox Mercenary Spyware - The Citizen Lab

Israel police uses NSO's Pegasus to spy on citizens | Ctech

Today we’re going to install and run through the Mobile Verification Tool (MVT) that was developed and released by the Amnesty International Security Lab. This tool allows us to take a look at our own devices and determine if there are any indicators of compromise (IOCs). There’s a guide here but we wanted to run it through its paces with one of our testing devices and share the results here. We’re focusing solely on iOS devices but be aware that there is an MVT for Android as well.

Initial Requirements

We’re going to assume you’ve already installed Homebrew from here. We’ve installed Homebrew in previous blogs so make sure to check those out!

The first step in the mvt-ios install process is installing some dependencies. We can type in the command “brew install python3 libusb sqlite3”.

Once that’s complete, we need to update our zshrc file so that we can run the next command from the terminal. 

Once Nano is open with the zshrc file, we can type in “export PATH=$PATH:~/.local/bin” to the file. 

For folks who are newer to working with the terminal, nano can seem a little daunting. But I promise it’s not that bad. Once we’re done adding in the command from above, we hit Control-O to save the file. As you see in the screenshot below, it’s going to prompt you where to save by asking you “File Name to Write: /private/etc/zshrc”. We do want to overwrite the same file so you hit enter. Once it accepts it, hit Control-X to exit the nano file and you’ll be dropped back into the terminal.

Install MVT-iOS Module

Once back in our terminal, we can use ‘pip3 install mvt’ to install the mobile verification tool

You will see the regular progress bars that accompany any new software install for the mvt-ios module.

Once complete, we can type in “mvt-ios --help” to ensure we have the correctly installed. If installed correctly, you'll find the different commands you’re able to do with the tool.

Install dependencies for iOS

The documentation states that installing libimobiledevice will make it easier to interact with iOS devices. So we can easily do that by typing “brew install libimobiledevice”.

Downloading IOC files

In order to test our backup for IOCs, we need to download a file that contains the indicators. Download these stix2 files and save them as we’ll be using them further down in the guide.

Download NSO Group Pegasus IOCs here.

Download Cytrox IOCs here.

Working With you iDevice

Once downloaded and installed, we can start interacting with our iDevice. If you haven’t connected to your phone yet, you will need to select “Trust” on your phone and on your computer. You’ll also need to put in the pin on your iDevice.

If working correctly, you can type in “ideviceinfo” and you’ll get information from your connected device.

In order to pull the most information out of a backup, we need to encrypt that back. We can use the libimobiledevice package we installed earlier to perform that function. Type in the command “idevicebackup2 -i backup encryption on” to start the process.

If you’ve never encrypted your backup before, you’ll be prompted to enter in a password for your device.

Now that our device is set up to encrypt the backup, we need to pull that backup and save it to our computer with the command “idevicebackup2 backup -- full /locationyouwant”.

Once initiated correctly, you’ll see similar output to the screenshots below. Your device will backup and pull all the files associated with that backup. 

Using MVT-iOS

We can now use mvt to decrypt the backup we just created. The command is “mvt-ios decrypt-backup /pathtoyourbackup -d /pathyouwantoutputsaved -p yourbackuppassword”.

Warning: In the screenshot below, you’ll see that my password (123456) is available in clear text and you’ll get the same warning message from mvt. 

Now that we have the backup decrypted and saved off, we can use mvt-ios to check it out and see if there are any indicators of bad actors. This is where we use the stix2 files downloaded from earlier in the guide. We’ll use the command “mvt-ios check-backup - i /pathtoiocs -o /pathtooutput /pathtodecryptedbackup.

After it’s complete, you'll have a bunch of json files. Any mvt-ios hits will have “_detected” appended to the filename. Thankfully it looks like my test device wasn’t targeted.

We can use the same process to check for Cytrox. We just change the -i flag to the correct location for the Cytrox.stix2 file. 

And again we will get the same json output. It looks like my test device is safe from Cytrox as well.


There are a lot of bad actors out there trying to steal information. A big thank you goes out to the Amnesty Group for providing this tool for everyone to use. And hopefully, this guided walkthrough helped illuminate how you can do this at home to check your own iOS devices.