Pegasus Attack: How to Check if Your iPhone, Android Phone Have Been Compromised by the Spyware

Fair warning: The process to check for Pegasus is not as simple as downloading software and scanning, and may require multiple attempts.


The Pegasus spyware incident has raised plenty of discussions around how deep the prospect of being tracked is, no matter who you are and what you do. While the Israeli NSO’s Pegasus tool is not new at all, and knowledge about it has been around for a long time, this is perhaps the most public acceptance of just how vulnerable anyone is to targeted digital surveillance. With plenty of paranoia around, Amnesty International, the body that helped publications around the world expose the use of Pegasus to track powerful individuals including politicians and journalists, has published a Mobile Verification Tool (MVT).

The MVT in question is designed to help you find indications of you being breached by Pegasus, by tracking down key identifiers that can indicate the compromise to you. However, the process for checking is not as basic or simple as downloading a piece of software from a site and running a scan of your device. While all details are noted elaborately, it is important to note that the Amnesty MVT tool works only in command line. Therefore, intrinsically, it only suits advanced users who have prior experience of working on command line. Alternately, any user can make use of the tool, but this would require following the instructions very closely, and keeping a lot of patience.

Table of Contents

How to check for Pegasus breach on iOS

The Amnesty MVT for Pegasus discloses right at the start that it works best for iOS devices, and is not comprehensively effective for Android. Given that the aspect of security on iPhones have come to the fore in light of the Pegasus breach, here’s how you can go about checking for the breach:

  • Take an encrypted backup of your iPhone on your Mac or Windows PC. Once the backup is done, you’ll then need to find the exact folder where the backup is stored.
  • For how to take encrypted backup, check Apple’s explainer here. For how to locate backup, check Apple’s post here.
  • The next step is to determine your PC OS. If you are using a Mac, install Xcode and Python3. The instructions are given here.
  • Windows users will need to install a Linux distro alongside their Windows setup, and boot into Linux. Then, follow the Linux instructions given here.
  • You will then be required to install libimobiledevice utilities, which will be key to examining your phone content. Click here for instructions.
  • It is after this that you finally get to run the mvt-ios tool on the backup, which you’ll have to decrypt before. The process for both decrypt (to be done first) and the mvt-ios inspection are detailed here. Follow the steps and instructions exactly as they come.
  • Once the test is run, the command line will ask for an indicators of compromise file, which will scan your extracted backup records to see if you have been targeted by Pegasus, too. Click here to download the file, and once downloaded, add details of where you have stored the file on your PC for the programme to read. It is always convenient to store such things on desktop.
  • Once the tool is run, you will then be able to see a list of warnings that may indicate suspicious behaviour that you would not have done. Check the records, and you have reason to worry only if you can conclusively see logged actions that you never did.

How to check for Pegasus on Android

The Android forensic check by the Amnesty MVT is not as clean or in-depth as iOS, and the process differs, too. Here’s how you should do it:

  • Connect your phone to a PC, and allow file system access for the PC on your phone
  • You’ll have to enable developer options by tapping multiple times on your phone’s build number found in the About section of your phone settings
  • Once enabled, go to developer options and enable USB debugging
  • You can then enable the mvt-android tool, which will download APKs from your phone to scan them for violation. Click here for the entire process