Amnesty International, as part of reporting done into the NSO Group’s Pegasus spyware, released a forensic methodology report on how to determine if one is affected by Pegasus, as well as a toolkit that can help interested parties check for the existence of Pegasus on their phones.
The report, released on Sunday, July 18, explained how Amnesty found forensic traces on affected iOS and Android devices targeted by the Pegasus spyware, releasing technical notes on what they did to check for it.
Aside from this, Amnesty also made public its Mobile Verification Toolkit (MVT) for Pegasus detection, which takes different steps to determine the presence of Pegasus on an Android or iOS device.
TechCrunch, in its report, tested the MVT for operability and noted it works on a command line rather than through a graphical user interface. As such, you’ll need some basic knowledge of terminal navigation to get started. That said, the MVT has documentation for its use, available here.
The MVT will help users take a backup of their iPhone and check it against indicators of compromise used by NSO to deliver the Pegasus spyware as a payload that might be sent through text or email.
Encrypted iPhone backups can also take advantage of MVT, as MVT can decrypt the backup without requiring the creation of a new copy.
On Android phones, meanwhile, TechCrunch says the MVT scans your Android device backup “for text messages with links to domains known to be used by NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.”
TechCrunch found one indicator of compromise in their use of the MVT, which turned out to be a false positive after checking with Amnesty researchers. A new scan with the updated indicators showed no sign of Pegasus on the tested device.
As the MVT is open-source, here’s to hoping a graphical interface for the toolkit is released in the future to make it easier for everyone to use. – Rappler.com