Pegasus is a spyware for spying on mobile devices that was developed by the NSO Group.
NSO Group is an Israeli technology company that primarily develops software and surveillance technologies. The focus of the attacks so far has been primarily on journalists, human rights activists, business people and politicians.
NSO Group claims Pegasus would only be used to investigate terrorism and crime and would leave no trace. However, the fact is that widespread, ongoing unlawful surveillance and human rights violations are taking place through Pegasus. For this purpose, the human rights organization Amnesty International forensically analyzed numerous mobile devices belonging to human rights defenders and journalists around the world.
Pegasus currently reaches end devices via various methods Zero-day vulnerabilities in iMessage, for example.
Apple has now reacted and provided the recently released iOS 14.8, macOS 11.6 and watchOS 7.6.2 with a security patch that prevents Pegasus from infecting the device via iMessage.
In order to check whether your device is infected with Pegasus, you will find instructions below to scan your device.
For more help, see “Backing up your iPhone using your Mac”
https://support.apple.com/de-de/guide/iphone/iph3ecf67d29/ios
Before a scan of any kind can be started, a terminal of your choice requires full access. You can grant this to your preferred terminal in the data protection & security settings.
Python must be installed, but it is preinstalled by default on today's computers. Some parts of the scan may require root permissions. To get this, enter “sudo -s” in the terminal and then enter your password.
cd /Users/%username%/Library/Application Support/MobileSync/Backup
Navigates to the backup folder
(Replaced %username% with your username)
pip3 install mvt
Installs the MVT scanner
wget https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/ -O pegasus.stix2
Download the Amnesty IOCs
mkdir results
Creates a folder for scan results
mvt-ios decrypt-backup -p '<passwort>' -d '<ordner>' '<backup_ordner_name>'
mvt-ios check-backup --iocs '<pegasus_test.stix2 pfad>' --output
'<results order pfad>' '<unverschlüsseltes backup pfad>'
Scan the given backup via MVT & IOCs
If everything went successfully, there should be a number of json files in the results folder. Any filename ending in _detected.json indicates that a trace of Pegasus was found in your backup.
