{
	"id": "8b2e51d0-2fa0-4694-9e23-ab9a2b94c3f7",
	"created_at": "2026-04-06T02:12:19.36093Z",
	"updated_at": "2026-04-10T03:20:45.423464Z",
	"deleted_at": null,
	"sha1_hash": "7dccf06d989ccc46f8f873229073ac6ac0a18b83",
	"title": "Scanning your iPhone for Pegasus, NSO Group's malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 255727,
	"plain_text": "Scanning your iPhone for Pegasus, NSO Group's malware\r\nArchived: 2026-04-06 01:32:41 UTC\r\nJul 25th, 2021 | 7 minute read\r\nIn collaboration with more than a dozen other news organizations The Guardian recently published an exposé\r\nabout Pegasus, a toolkit for infecting mobile phones that is sold to governments around the world by NSO Group.\r\nIt’s used to target political leaders and their families, human rights activists, political dissidents, journalists, and so\r\non, and surreptitiously download their messages/photos/location data, record their microphone, and otherwise spy\r\non them. As part of the investigation, Amnesty International wrote a blog post with their forensic analysis of\r\nseveral compromised phones, as well as an open source tool, Mobile Verification Toolkit, for scanning your\r\nmobile device for these indicators. MVT supports both iOS and Android, and in this blog post we’ll install and run\r\nthe scanner against my iOS device.\r\nChoosing your options\r\nFor iPhones, MVT can either run against a device backup or a full file system dump (which is only available from\r\njailbroken devices). The device backup method has access to less forensic data than the filesystem dump but has\r\nthe benefit that you don’t need to jailbreak your device. MVT conveniently documents which forensic artifacts are\r\navailable to which method - the following artifacts are not available when using the backup method:\r\ncache_files.json\r\nnet_usage.json\r\nsafari_favicon.json\r\nversion_history.json\r\nwebkit_indexeddb.json\r\nwebkit_local_storage.json\r\nwebkit_safari_view_service.json\r\nThe same documentation link also explains what data each file contains and where it’s sourced from, and\r\nAmnesty’s blog post describes in more detail how each data type is relevant for detecting Pegasus. For instance\r\nfor the Safari favicon data ( safari_favicon.json ) they write:\r\nAlthough Safari history records are typically short lived and are lost after a few months (as well as\r\npotentially intentionally purged by malware), we have been able to nevertheless find NSO Group’s\r\ninfection domains in other databases of Omar Radi’s phone that did not appear in Safari’s History. For\r\nexample, we could identify visits through Safari’s Favicon.db database, which was left intact by\r\nPegasus\r\nSo if you have a jailbroken device you will get more complete Pegasus detection with the filesystem dump\r\napproach, but since my device is not jailbroken I’ll go with the device backup approach - it’s better than nothing.\r\nhttps://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/\r\nPage 1 of 4\n\nIn fact there is no publicly known jailbreak available for my iPhone model and version of iOS, so I don’t have a\r\nchoice.\r\nCreating and checking your backup\r\nTo create and check your iPhone backup you can:\r\nBuild the MVT docker image:\r\ngit clone https://github.com/mvt-project/mvt.git\r\ncd mvt\r\ndocker build -t mvt .\r\nCreate your backup:\r\nThe backup can be created either directly in Finder (prior to MacOS Big Sur this was done through iTunes), or\r\nusing a library called libimobiledevice.\r\nFor the Finder approach plug your phone into your laptop, navigate to it in Finder, and click “Back Up Now” with\r\nthese settings checked:\r\nMVT only operates against decrypted backups so in the next step we’ll be decrypting everything anyway, but\r\nencrypted backups export more device data (such as your browsing history or wifi settings) so encrypting your\r\nbackup will give you better detection.\r\nAfter the backup is created click “Manage Backups”, then right click on your backup and select “Show In Finder”,\r\nand copy the folder to somewhere easily accessible (say, to your desktop).\r\nOr, if you’d prefer to create a backup using libimobiledevice instead of Finder:\r\nhttps://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/\r\nPage 2 of 4\n\nMVT automatically includes libimobiledevice in its Docker image but even with their instructions I couldn’t get it\r\nto recognize my iPhone from inside Docker, so I installed it on my MacOS host:\r\n # Install latest libimobiledevice\r\n brew install --HEAD libimobiledevice\r\n # Make a working directory\r\n mkdir -p ~/Desktop/mvt\r\n # Enable backup encryption - you'll be prompted for a password\r\n idevicebackup2 -i backup encryption on\r\n # Backup the device\r\n idevicebackup2 backup --full ~/Desktop/mvt/\r\nNow we can scan our backup:\r\ndocker run \\\r\n # Mount your desktop working directory into Docker\r\n -v ~/Desktop/mvt:/home/cases/mvt \\\r\n # Run the MVT image\r\n -it mvt\r\n# Download Amnesty International's indicators of compromise\r\nwget https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2 -O pegasus\r\n# We'll save our results here\r\nmkdir mvt/results\r\n# Decrypt the backup\r\nmvt-ios decrypt-backup \\\r\n # The backup password you created\r\n -p '\u003cpassword\u003e' \\\r\n # The directory to save the decrypted backup to\r\n -d mvt/decrypted \\\r\n # The encrypted backup to decrypt\r\n mvt/00008101-0018545E26F1003A/\r\n# Scan the decrypted backup\r\nmvt-ios check-backup \\\r\n # Path to our downloaded IoCs\r\n --iocs pegasus.stix2 \\\r\n # Where to save the results\r\n --output mvt/results \\\r\nhttps://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/\r\nPage 3 of 4\n\n# Path to the backup to scan\r\n mvt/decrypted\r\nAnd lastly we can interpret the results:\r\nIf everything ran successfully you should have a number of json files in the mvt/results folder on your desktop.\r\nAny filenames ending in _detected.json indicate that some trace of Pegasus was found, and all other json files\r\ncontain debug data about your scan results. If you have no _detected.json files then there were no Pegasus\r\nindicators found:\r\nP.S. If you enjoy this kind of content feel free to follow me on Twitter: @arkadiyt\r\nSource: https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/\r\nhttps://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/"
	],
	"report_names": [
		"scanning-your-iphone-for-nso-group-pegasus-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775441539,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dccf06d989ccc46f8f873229073ac6ac0a18b83.pdf",
		"text": "https://archive.orkl.eu/7dccf06d989ccc46f8f873229073ac6ac0a18b83.txt",
		"img": "https://archive.orkl.eu/7dccf06d989ccc46f8f873229073ac6ac0a18b83.jpg"
	}
}