How Do You Detect Pegasus Spyware on Your iPhone?

Sophia Taylor

By Sophia Taylor

Published:

Pegasus isn’t your average phone virus. It’s a highly invasive iOS malware infection developed by Israeli company NSO Group, capable of stealing your most sensitive information from your iPhone.

Not only can Pegasus access your messages, calls, photos, and passwords, but it can also secretly record you through your phone’s camera and microphone.

This sophisticated iOS spyware can pose a serious threat to your privacy and security. It’s known to have been used by oppressive government agencies to target journalists, activists, and anyone deemed a person of interest.

While detecting Pegasus is notoriously difficult, tools and methods do exist.

In this article, we’ll guide you through the process of how you can check for Pegasus on your iPhone and what to do if you suspect your device might be compromised.

information icon

Recap: What is Pegasus?

Pegasus is a sophisticated iOS spyware designed by NSO group and first discovered in 2016. This spyware is extremely difficult to detect due to its sophistication.

This invasive spyware often uses “zero-click” attacks on mobile devices, meaning victims don’t need to click links or interact with anything to be infected. For iPhone users, in particular, all it took was opening an iMessage to trigger the spyware.

How to Check iOS Devices for Pegasus Infections

  • Important note: Detecting Pegasus spyware is inherently complex. The methods described below require some technical understanding.

If you’re uncomfortable with these steps or suspect your device is infected, seeking professional assistance from digital security experts is strongly advised.

Mobile Verification Toolkit (MVT)

MVT is a free tool designed to simplify the process of finding potential traces of compromise on your iPhone (or Android device). It’s especially useful for detecting indicators of Pegasus on a mobile device.

This tool was created by the human rights group Amnesty International’s Security Lab as part of their larger efforts to expose spyware and help journalists and activists whose mobile devices are infected with Pegasus.

How MVT helps detect Pegasus

MVT can extract various types of data from an iPhone backup to find evidence of an attack. This includes:

  • SMS messages
  • Call logs
  • Data from installed apps
  • System logs

MVT analyzes the extracted data for patterns and “Indicators of Compromise” (IOCs). IOCs are things like suspicious domain names or specific processes that are known to be associated with Pegasus.

Here’s a breakdown of the main types of “Indicators of Compromise” (IOCs) that tools like MVT look for to detect potential Pegasus infections:

1. Network indicators

  • Suspicious domains: Pegasus communicates with command-and-control (C2) servers controlled by its operators. These servers often have domain names that look legitimate but might have unusual elements or be linked to previously identified Pegasus campaigns.
  • Network traffic patterns: Monitoring network traffic can reveal unusual connections or data transfers to Pegasus-related domains.

2. Process indicators

Pegasus executes several processes on a compromised device to carry out its operations. MVT checks for process names or behaviors associated with known Pegasus processes.

3. File indicators

  •  Suspicious configuration files: Pegasus might create or modify specific configuration or settings files within the iOS file system.
  • Presence of Pegasus-related files: Detection might be based on the names of specific files used by the spyware or their unique identifying characteristics.

4. SMS and messaging

In some older campaigns, Pegasus was delivered through SMS messages containing exploit links. Analyzing SMS history can reveal these links.

Pegasus has also exploited vulnerabilities in iMessage, so looking for unusual message structures or behaviors can be an indicator.

How to use MVT

Here’s a general overview of the steps involved. Please be aware this is a simplified outline. Using MVT effectively demands deeper technical knowledge.

  • Preparation: You’ll need a computer (macOS or Linux recommended) and the ability to connect your iPhone to it. You’ll also need to have Python installed on your computer and understand how to use the command line (Terminal on macOS).
  • Download and install MVT: Next, you’ll need to install MVT. Here is the official guide.
  • Back up your iPhone: Once installed, connect your iPhone to your computer using the USB cable and create a backup of it with iTunes (on Windows) or Finder (on macOS). It is recommended to create an encrypted backup as this will contain more data and allow for a more accurate analysis.
  • Run MVT: Open a command line window and use the MVT commands detailed here to:
  • Decrypt the iPhone backup.
  • Analyze the backup data.
  • Generate a report of findings for signs of Pegasus infection.

Fig 1: MVT results output after analyzing an iPhone.

Interpreting the results

MVT doesn’t provide a simple “yes” or “no” answer. You’ll need to review the report and look for any potential indicators or patterns that might signify the presence of Pegasus spyware. Pay particular attention to any lines that contain the word “WARNING” as this is where any detected threats will be highlighted.

Limitations

As we mentioned above, using MVT proficiently requires comfort with command-line tools and some threat analysis experience. Plus, spyware like Pegasus is constantly evolving. MVT might not catch every variation or the most recent traces.

Analyzing Shutdown.log

Kaspersky, a leading cybersecurity firm, has found a new way to detect traces of Pegasus infections using a system log file called Shutdown.log.

information icon

What Is a System Log File?

A system log file is a computer-generated text file that records events, activities, and processes occurring within an operating system, software application, or device.

This file is part of a larger iOS ‘sysdiagnose’ archive that stores information about device reboots.

information icon

What Is a Sysdiagnose Archive?

A sysdiagnose archive is a compressed file generated by iOS and macOS devices that contains a comprehensive collection of diagnostic logs, system information, and performance data. Think of it as a snapshot of your device’s health at a specific time.

This archive contains the following:

• System logs: Records of system events, processes, errors, and warnings.
• Application crash logs: Details about why apps might have crashed.
• Performance data: Information on resource usage (CPU, memory, etc.) to identify bottlenecks.
• Network configuration: Details about your network settings.
• Battery usage statistics: Data on how your battery is being used.
• Other diagnostic information: Device specifications, hardware info, and more.

Cybersecurity professionals can analyze sysdiagnose archives to detect traces of malware or other security breaches.

If a device containing Pegasus spyware has been rebooted at any time then the Shutdown.log file will contain specific traces that can indicate an infection.

Kaspersky has developed a free command-line tool that can be used to extract and analyze this file. Similar to MVT, this tool requires some threat analysis experience and is aimed at cybersecurity professionals. But, if you are confident using such tools then this can be another useful way to detect Pegasus on an iPhone.

Why Is It Important to Identify Potential iPhone Infections Like Pegasus?

While it’s true that Pegasus affects a much smaller number of users than other more common types of iPhone spyware, its use is becoming more widespread.

Journalists, activists, business executives, even concerned individuals – anyone with valuable information on their phone could become a target.

This threat isn’t just theoretical. In October 2023, an investigative journalist reached out to Certo after experiencing unusual behavior with their phone.

Excessive battery drain, unexplained data usage, and frequent crashes raised suspicions of a potential security breach.

The Certo team launched a thorough forensic investigation, including the use of the Mobile Verification Toolkit (MVT).

The analysis uncovered chilling evidence — a Pegasus attack that had begun back in December 2022. For over 10 months, this insidious spyware had silently infiltrated the journalist’s phone, siphoning sensitive personal and professional data.

Certo swiftly assisted the journalist in securing their digital environment and provided them with a new, better-protected device. This case highlights the real-world impact of Pegasus and the importance of staying vigilant against sophisticated cyberespionage.

exclemation icon

Worried About Pegasus? Help Is On the way!

Certo AntiSpy is adding Pegasus detection capabilities. Soon, you’ll be able to check for this advanced spyware with the same easy-to-use tool you trust for everyday protection.

Sign up to our newsletter at the bottom of this page and we’ll update you as soon as this feature goes live.

What Can Users Do To Keep Themselves Safe?

If you suspect that your iPhone might be infected with Pegasus or similar spyware, here are some steps you can take:

  • Reboot daily: Pegasus often doesn’t stay on the device after a reboot, so this can disrupt the infection.
  • Utilize Lockdown Mode: Apple’s Lockdown Mode (available with iOS 16 and later) significantly hardens your device’s defenses against sophisticated spyware such as Pegasus.
  • Keep your iOS updated: Ensure your iPhone always runs the latest iOS version as security patches fix vulnerabilities that spyware exploits.
  • Avoid clicking suspicious links: Avoid clicking on links in unsolicited texts or emails. Pegasus can be spread through seemingly harmless links.
  • Monitor your device: Pay attention to unusual behavior like battery drain, unexpected data usage, or strange app activity.
information icon

Need More Information?

For more detailed information have a look at our comprehensive guide on how to detect spyware on your iPhone.

For additional protection, use anti-spyware software

An anti-spyware app like Certo AntiSpy can be used to run a deep scan of your iPhone. It’s designed to detect any suspicious apps and software that could be sending your data to a hacker

After the scan results are in, the software will provide clear instructions on removing threats like keyloggers and enhancing your phone’s protection against hacking.

Anti-spyware programs like Certo AntiSpy can be used to regularly check for spyware and ensure your iPhone is secure. Here’s how:

  1. Download Certo AntiSpy to your computer.
  2. Plug in your iPhone and click Scan.
  3. Click Remove next to any threats.

Removing spyware from an iPhone using Certo AntiSpy

Fig 2: Detecting and removing iPhone spyware with Certo AntiSpy.

Final Thoughts

Pegasus spyware poses a significant threat to individual privacy and freedom.

Its power to infiltrate devices and steal sensitive information makes it a dangerous tool in the wrong hands.

While detection might seem daunting, being proactive with digital security is crucial.

You can significantly reduce your risk by following the steps outlined in this article — rebooting regularly, keeping your devices updated, exercising caution with links, and utilizing security software.

And if you suspect your phone may have been compromised, don’t hesitate to get in contact with digital security experts.

Remember, vigilance is your best defense.