How to Check if your iPhone is Infected with Spyware/Stalkerware

Recently I was watching Frontline PBS documentary “Global Spyware Scandal: Exposing Pegasus Part One (full documentary) | FRONTLINE”. Pegasus, from the Israeli firm NSO Group, is a spyware that is used by many governments aroud the world to spy on people of interest, like journalists (CNN was a victim), politicians and militia in war zones. As long as I know, a missed call is enough to get this spyware installed on a cellular phone.

Pegasus is a notorious piece of spyware capable of infecting both iOS and Android devices, it grants attackers extensive access to a target’s phone, turning it into a powerful surveillance tool. Here’s how it works and what data it collects:

Infection Methods:

Phishing Links: Initially, Pegasus relied on tricking users into clicking infected links sent via text messages. However, it has evolved to exploit:

• Zero-click vulnerabilities: These don’t require user interaction and can infect a phone through simply receiving a message, call, or even being near a specific wireless transceiver.
• App vulnerabilities: Pegasus has exploited flaws in popular apps like WhatsApp and iMessage to gain access.

Data Collection:

Once installed, Pegasus can collect a staggering amount of data, including:

• Messages: SMS, emails, chat app messages, and even recorded calls.
• Contacts and call history: Who the target communicates with and when.
• Location data: Real-time GPS tracking of the target’s movements. This is especially relevant as it provides metadata for drone attacks.
• Photos and videos: Access to the phone’s camera roll and gallery.
• Passwords and keystrokes: Login credentials and everything typed on the device.
• Microphone and camera recordings: Live capture of audio and video without the target’s knowledge.

Data Usage:

The collected data is typically uploaded to the NSO Group’s servers for analysis and reporting. Clients, who are often governments or intelligence agencies, use this information for various purposes, including:

• Surveillance of activists and journalists: Monitoring their communications and activities.
• Political espionage: Gathering information on opponents and foreign countries.
• Criminal investigations: Tracking suspects and gathering evidence.
• Drone attacks: based on user metadata.

The Controversies:

Pegasus has been shrouded in controversy due to its misuse by various governments for:

• Targeting human rights defenders and journalists: Suppressing dissent and freedom of expression, like the Saudi journalist and dissident Jamal Khashoggi.
• Spying on political opponents: Undermining democratic processes.
• Facilitating human rights abuses: Contributing to persecution and violence.

These concerns have led to calls for stricter regulations on spyware and accountability for companies like NSO Group. This Wikipedia entry provides more information on the Pegasus spyware.

There are also other companies that provide governments with an “operational cyber solution” that includes gathering information from devices and cloud services, like Cytrox.

Pegasus is a powerful and dangerous spyware that can collect vast amounts of personal data with worrying implications for privacy and human rights. Its misuse highlights the need for stronger control over such technologies and increased transparency in their development and usage. The full capabilities and details of Pegasus remain opaque due to its secretive nature. Even ChatGPT does not provide any information about its use.

The evolution of currently A.I. technologies, like deep fakes, malicious A.I., voice modulation and social network analysis via graphs generates an explosive mixture.

Given this level of threat, I decided to check if my iPhone was infected. By reading a Forbes article “How To Check If Your Smartphone Is Infected With Pegasus Spyware” I got to this Github repo: https://github.com/mvt-project/mvt.

We have some ways to check if Pegasus or any other spyware/stalkerware is installed on our phones. Here, I generated an encrypted backup of my iPhone in my local Linux machine, decrypted it, downloaded .stix2 files (Indicators of Compromise) and analyzed with mvt, a forensic research tool. The library mvt looks for signatures, (.stix2 files) that can be obtained from mvt itself or from Amnesty International Security Lab. These files allow to check for Indicators of Compromise (IOCs) in mobile devices. In this tutorial you won’t need to jailbreak your iPhone.

First, we need to install some libraries:

pip3 install mvt

Then we access mvt documentation:

We have to install other libraries:

sudo apt install python3 python3-pip libusb-1.0-0 sqlite3

Then we connect our iPhone to USB port or Thunderbolt 3 port.

Now, we run:

ideviceinfo

This will give you information about your iPhone, like UniqueChipID, UniqueDeviceID, WiFiAddress, EthernetAddress, ChipSerialNo, and many other details.

Now, let’s pair our iPhone:

idevicepair pair

On your iPhone, click Trust to allow the connection and type your iPhone passcode:

Then run this command again:

idevicepair pair

You will get:

SUCCESS: Paired with device 00007020-0756575960682E

Now we will follow the Backup with libimobiledevice documentation:

Turn on encryption for the local backup on your machine:

idevicebackup2 -i encryption on

Then, we perform the full backup. Note that when you do encrypted backup, you will get some additional files, when compared to unencrypted backup:

idevicebackup2 backup --full ./iPhone

Local Backup being made

We have now an encrypted backup on our local machine, at the iPhone folder.

Now that we have a local iPhone backup in our machine, we need to decrypt it:

 mvt-ios decrypt-backup -p "your_password" -d ./iPhoneOutput ./iPhone/00007020-0756575960682E

Note that here either you can type the backup password, or generate a key file. You choose. The unencrypted backup will be saved at destination -d, the iPhoneOutput folder. Note that if you opt for password, it will remain stored in your command line history in plain text, what is risky.

Then, we check the backup for Indicators of Compromise (IOCs) .stix2 file and save the JSON results at the iPhoneAnalysis folder. But first, we download the IOC files list:

mvt-ios download-iocs

mvt-ios check-backup -i ./.local/share/mvt/indicators/raw.githubusercontent.com_AmnestyTech_investigations_master_2021-07-18_nso_pegasus.stix2 -o ./iPhoneAnalysis ./iPhoneOutput

I got one detection. In this case, a stalkerware that I installed conscious of the risks.

Let’s check the JSON file: webkit_resource_load_statistics_detected.json

I indeed have a stalkerware installed. As you will se in the Amnesty International and also in mvt Github repo, you can also check for other IOCs, like Kingspawn, Predator and DragonEgg:

The mvt documentation also includes details about Android spyware and other operational systems, like Windows and Mac.