Checking an Android Phone for NSO Group's Pegasus Malware

oz, 2021-07-22

After Amnesty International’s Methodology Report from last Sunday, I early-adopted the Mobile Verification Toolkit on Monday evening. At that time, parts of the documentation and cross-referencing were pretty basic, so I'm documenting my process and concentrating links to all resources here.

Less tech-savvy users may want to wait for the announced GUI.


Further read:

Installing MVT in a pipenv

I installed the project's dependencies in a pipenv to not pollute the system's python packages and $PATH:

# Clone repository
git clone
cd mvt/

# Install dependencies in pipenv
pipenv --python 3
pipenv run pip3 install .

Check APKs for malware signatures

Since you can't use the tool to download the APKs and check for malware signatures later, it's best to do this right away. Otherwise you'd need to download the packages twice:

mkdir android-apks
pipenv run mvt-android download-apks -o android-apks/ --virustotal

Sometimes the Android device is busy and MVT recommends to reset the adb server. This works just fine:

adb kill-server

On the phone, when downloading the APKs, you will be asked (multiple times, even if you check the 'allow future access' box) to allow adb access, this dialog needs to be accepted within 5 seconds, otherwise MVT times out. It's best to be attentive and watch the phone screen. ;)

This process is well-documented:

# Backup SMS from Android device
adb backup

# Extract SMS backup
java -jar abe.jar unpack backup.ab backup.tar
tar xvf backup.tar

# Check backup against STIX v2 file
pipenv run mvt-android check-backup . --iocs pegasus.stix2