Here’s how to use Amnesty’s program to check your phone for Pegasus malware.

Here's how to use Amnesty's program to check your phone for Pegasus malware.
Here's how to use Amnesty's program to check your phone for Pegasus malware.

The procedure needs some final effort, but it is quite simple. Amnesty International, which was one of the first organisations to report on journalists and heads of state being targeted by NSO’s government-grade spyware, Pegasus, has created a tool to see whether your phone has been compromised.

A fantastic set of instructions comes with the tool, which should guide you through the rather complex checking procedure. To use the programme, you must first back up your phone to a separate computer and then check that backup. If you’ve been staring at your phone since the news broke and need some advice, keep reading.

Steps on How to remove Pegasus spyware from Android

The first thing to keep in mind is that the programme is command line or terminal oriented, so it will require some technical knowledge or patience to use. We attempt to cover a lot of what you need to know to get started, but it’s something to be aware of before diving in.


The second point to mention is that Amnesty’s analysis appears to function best on iOS devices. According to Amnesty’s literature, the tool’s ability to analyze Android phone backups is restricted, but it can still scan for potentially harmful SMS messages and APKs. Again, we advise you to follow its directions.

The simplest approach to verify your iPhone is to create an encrypted backup using iTunes or Finder on a Mac or PC. After that, you’ll need to find that backup, which Apple explains in detail. Amnesty International has instructions for using the libimobiledevice command-line program to generate a backup for Linux users.

You’ll need to download and install Amnesty’s mvt software after getting a backup of your phone, which Amnesty also offers instructions for.

If you’re running the check on a Mac, you’ll need to download and install both Xcode and Python3 from the App Store before you can install and execute mvt.

The simplest approach to get Python3 is to use Homebrew, a software that can be installed and used from the Terminal. After you’ve installed them, you’ll be able to follow Amnesty’s iOS instructions.


You’re not alone if you’re having problems decrypting your backup. When I tried to point the programme to my backup, which was in the default location, it gave me problems. To fix this, I moved the backup folder from the default location to a desktop folder and directed mvt there. This is how my command turned out:

(This is solely for illustrative purposes.) Please use the commands from Amnesty International’s instructions, since the software may have been changed.)

mvt-ios decrypt-backup -p PASSWORD -d decrypt ~/Desktop/bkp/orig

When you run the real scan, you’ll want to point to an Indicators of Compromise file, which Amnesty International offers as a pegasus.stix2 file. Those who are new to using the terminal may be confused about how to actually point to a file, but as long as you know where the file is, it’s very straightforward. I recommend saving the stix2 file to your Mac’s Downloads folder for beginners. Then, when you’re ready to execute the check-backup command, include

-i ~/Downloads/pegasus.stix2

enter the area of options To give you an idea of how my command turned out, it looked like this. (Once again, this is only for example reasons.) Attempting to duplicate and run these instructions will result in an error):

(For reference, the / acts as a shortcut to your user folder, so you don’t need to include something like /Users/mitchell.)

Again, I’d advise following Amnesty’s advice and using its commands, as the tool might have been changed. On Twitter, security researcher @RayRedacted has a fantastic thread going over some of the difficulties you can encounter when using the tool and how to handle them.

Finally, Amnesty International only includes instructions for installing the application on macOS and Linux platforms. The Verge has confirmed that the programme may be used on Windows by installing and utilising Windows Subsystem for Linux (WSL) and following Amnesty’s Linux instructions. WSL requires the download and installation of a Linux distribution, such as Ubuntu, which will take some time. It is, however, possible to do so while waiting for your phone to backup.

You’ll get a series of warnings after executing mvt, which will either indicate questionable files or behaviour. It’s important to note that a warning doesn’t always imply you’ve been infected.

Some redirection that were completely legal appeared in the area where it verified my Safari history for me ( redirecting to, redirecting to, etc). I had a few problems as well, but only because the software was looking for programmes that I didn’t have on my phone.

Regardless of whether we’re likely to be targeted by a nation-state, the Pegasus storey has undoubtedly made many of us view our phones with a bit more mistrust than normal. While using the tool may (hopefully) alleviate some worries, many Americans are unlikely to find it essential.

According to The Washington Post, NSO Group has said that their software cannot be used on phones with US numbers, and the inquiry found no indication that US phones had been effectively hacked by Pegasus.

While it’s encouraging to see Amnesty International make this tool public with thorough explanation, it only goes so far in addressing the privacy issues raised by Pegasus. It doesn’t take a government targeting your phone’s microphone and camera to acquire private information; the data broker business may be selling your location history even if your phone isn’t Pegasus-enabled, as we’ve seen recently.


Please enter your comment!
Please enter your name here