You can check you haven't been targeted by Pegasus spyware but it's a pain

iPhone X passcode screen
iPhone X passcode screen (Image credit: iMore)

What you need to know

  • With the NSO Group's Pegasus spyware in the news of late, here's how to check your iPhone isn't infected.
  • It's very unlikely that you are, and the process of checking isn't a smooth one.

With so much talk about NSO Group and its Pegasus spyware right now it's important to remember that it's very unlikely that you have been targeted. Still want to be sure? There's a tool that can check, but it'll take some work.

We know that 50,000 phone numbers belonging to journalists, government officials, and more are on a list of potential Pegasus targets and that's all very scary stuff. Thankfully it's unlikely most people will be anywhere near Pegasus or that list, but TechCrunch has detailed how you can go about being sure. It isn't a fun endeavor and it's going to involve cracking out Terminal, but it's definitely doable.

The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO's infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.The toolkit works on the command line, so it's not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about 10 minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you'll need to feed in Amnesty's IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files.

You can learn more about the tool in the TechCrunch piece, and the tool itself is available via Github. That's where you'll find the documentation that you need to follow, too.

Apple has been keen to remind everyone that most people don't need to worry about Pegasus and that it's a very sophisticated tool for gaining access to very specific devices. It could also do without a potential security scare ahead of the iPhone 13 announcement that will likely take place in September, too.

Oliver Haslam

Oliver Haslam has written about Apple and the wider technology business for more than a decade with bylines on How-To Geek, PC Mag, iDownloadBlog, and many more. He has also been published in print for Macworld, including cover stories. At iMore, Oliver is involved in daily news coverage and, not being short of opinions, has been known to 'explain' those thoughts in more detail, too.

Having grown up using PCs and spending far too much money on graphics card and flashy RAM, Oliver switched to the Mac with a G5 iMac and hasn't looked back. Since then he's seen the growth of the smartphone world, backed by iPhone, and new product categories come and go. Current expertise includes iOS, macOS, streaming services, and pretty much anything that has a battery or plugs into a wall. Oliver also covers mobile gaming for iMore, with Apple Arcade a particular focus. He's been gaming since the Atari 2600 days and still struggles to comprehend the fact he can play console quality titles on his pocket computer.