Pegasus

Pegasus is a spyware program designed to attack iOS and Android smartphones. It was designed in 2013. When installed on the device, it accesses files, messages, photos and passwords, listens to calls, and can trigger audio recording, camera, or geolocation.

How it’s installed?

Be infect by Pegasus, there have several options :

  • spear phishing: the user clicks on a link sent via an sms or an iMessage
  • internet redirection
  • wireless communication : it’s use the skill « zero click » who operating with the vulnerability of « zero day ». it’s using app like iMessage, Apple Music, WhatsApp, etc. This way install Pegasus without any action the user

How to check your iPhone for Pegasus?

 

Pegasus

The Amnesty International Security Lab developed app who allow to check if the iPhone is infected. It’s same app to Android.

This App is Mobile Verification Toolkit (MVT). It’s allow to check search for traces of spyware.

 

How it’s work?

The MVT work only on Linux or macOS. To install and use it, you need 2 things:

  • MVT requires Python 3.6+ to run.
  • Some Knowledge (or basics) with Linux.

To do it :

  1. You should backup your phone data on a computer
  2. Launch the terminal or command line. The check is similar an iOS device and Android. On Linux, you’ll have to use a command-line tool with libimobiledevice to generate a backup. Like I said MVT need Python 3.6+ to run and Xcode (on Mac). Xcode can be download from AppStore. But Python 3.6+ should to be installed by installing Homebrew.
  3. Download MVT

Then Connect your iOS device to your computer via USB and run.

 

  1. Download MVT and install it.

On Linux : Install

  1. The prerequisites with command sudo apt install python3 python3-pip libusb-1.0-0
  2. MVT with command pip3 install mvt

On MacOS: Install

  1. Brew with command/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  2. The prerequisites with command brew install python3 libusb
  3. MVT with command pip3 install mvt

 

  1. Make a Backup. If it’s on Mac with iPhone Launch iTunes and then create a local backup of your phone, making sure it’s encrypted> Or you can use Finder.
  2. Use MVT to decrypt the data using command: mvt-ios decrypt-backup -p <Password> -d <DESTINATION_PATH> <PATH_BACKUP_CRYPTED>
  3. Analysis of the decrypted backup: mvt-ios check-backup –output <DESTINATION_ANALYSE> –iocs <LOCATION_IOCS>/pegasus.stix2 <LOCATION_BACKUP_DECRYPT> : {DESTINATION ANALYSE MVT Results Inventory}. {LOCATION_IOCS} Location file Pegasus.stix2.{LOCATION_BACKUP_DECRYPT} directory of your decrypted backup.

If the analysis found suspicious elements, it’s mean your devices can be infected by Pegasus. If it’s infect send request to the customer support