MVT — Quick Start Guide
Primer: Amnesty International’s article detailing NSO Group’s Pegusus.
Read Me
Since I began writing this guide, iVerify, a security app for iOS, has released an update that allows it to detect traces of Pegasus. If you are not feeling savvy, or want a quick and easy answer, go download their app.
I’m not satisfied with an app, I’d like to test it myself.
MVT (Mobile Verification Toolkit) is created by Amnesty International and designed to detect NSO’s Pegasus spyware. This post will explain how to use MVT to scan your own device.
How to Install MVT On Your Device
Step 1: Use a macOS or Linux device. MVT doesn’t support windows. I’ve read that its possible to install on Windows Subsystem for Linux, however I won’t be covering that as I couldn’t get it working.
macOS Install Instructions:
Step 2: Install Homebrew (macOS package manager), dependencies, and then MVT.
Homebrew:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Then, open terminal and run (ensure Homebrew is correctly installed):
brew doctor
Next, you’ll need Python 3 (this is a somewhat lazy solution for Python, but if you only need it for MVT, it is fine), libusb (for usb debugging) and squlite3 :
brew install python3 libusb sqlite3
Step 3: Install MVT (you have to use pip3, because only using pip tries to use the default macOS python install, which results in the painful overriding of default packages and breaking everything).
pip3 install mvt
Linux Install Instructions:
Step 2 & 3: Install everything with one line.
sudo apt install python3 python3-pip libusb-1.0-0 sqlite3
Nice, you’re done.
Create Backups to Parse
macOS
Follow Apple’s instructions: https://support.apple.com/en-us/HT205220
Connect your iPhone to your device, then create an encrypted backup on your device. Make sure to actively choose “backup all data to this device” and then encrypt it.
Linux
Install libimobiledevice: https://docs.mvt.re/en/latest/ios/install.html
Backup using libimobiledevice:
idevicebackup2 -i backup encryption on
Decrypt and Check Backups (same for macOS and Linux)
Step 1: Find your backup, and move it to desktop.
Located by default at:
~/Library/Application\ Support/MobileSync/
Drag the file (will look like: 0293080198992…) to your desktop.
(For Linux, the file should be in the output directory specified earlier with libimobiledevice.)
Step 2: Open Terminal to your desktop directory, and make a directory for your output.
command+space -> terminalcd ~/Desktop
mkdir decrypted_backup
Step 3: Decrypt the backup. This may take a while.
mvt-ios decrypt-backup -p "password" -d ./decrypted_backup
Step 4: Download Latest Indicators of Compromise (IOCs)
Drag this from downloads to your desktop.
Step 5: Parse decrypted backup for signs of compromise
mkdir ioc_output
mvt-ios check-backup -i ./pegasus.stix2 -o ./ioc_output
Step 6: Check your results.
cd ./ioc_output
ls
A bunch of files should be listed, if there is an sign of compromise, one or more of the files will end in “_detected”.
Step 7: Now what?
If files were marked detected, reset your device to factory settings. If it was not, continue on.