To check for Pegasus spyware, make an encrypted backup, scan with MVT, and keep high-risk devices in Lockdown Mode.
Worried your phone was targeted by NSO’s Pegasus? This guide gives a clear workflow you can run today. You’ll learn quick hygiene checks, a backup routine, and a step-by-step scan with the Mobile Verification Toolkit (MVT). You’ll also see what to do if results show hints of compromise, and how to harden iPhone and Android against the kinds of tricks Pegasus has used.
Fast Triage: Signs, Context, And Safe First Moves
With mercenary spyware, traces can be subtle. Many victims notice nothing until a lab confirms it. Start with safety steps that reduce risk while you prepare an examination.
| Signal You Notice | What It Can Mean | Immediate Move |
|---|---|---|
| Unwanted reboots | Crash from exploit or a flaky app | Note time; plan a scan |
| Battery drain | Background processes, poor signal, or malware | Collect logs; avoid resets |
| Weird iMessage, WhatsApp, or missed calls | Lures or silent delivery attempts | Keep screenshots; do not click |
| New profiles or VPNs | Configuration abuse | Record details; leave in place until imaged |
| Unknown root or jailbreak traces | Persistence or tampering | Stop sensitive chats; prep for forensic help |
| Security updates arriving out of band | Vendors patching an active zero-day | Install patches; plan a scan |
| Carrier SMS with links | Social engineering | Do not open; save message |
How to Check for Pegasus Spyware: iPhone And Android Workflow
The phrase “how to check for Pegasus spyware” shows up in headlines for a reason: real checks need structure. The safest path is a clean backup, a verified toolset, and a documented run. Here’s a flow you can follow without guesswork.
Step 1: Reduce Exposure
Use a secondary device for sensitive chats until you finish. Turn off iMessage and FaceTime on the suspect iPhone if you’re high risk. Avoid uninstalling apps or wiping data before you capture evidence.
Step 2: Make An Encrypted Backup
On iPhone, create an encrypted backup to a Mac or PC. Encryption includes message content and more artifacts MVT can parse. On Android, capture a full ADB backup if available, or a file-system copy from recovery or via OEM tools. Store the backup on a separate computer with disk encryption.
Step 3: Install Mobile Verification Toolkit
MVT is an open-source set of commands: mvt-ios and mvt-android. Install it on your analysis computer, not on the phone you’re checking. Follow the Mobile Verification Toolkit docs to avoid path and dependency errors.
Step 4: Get Trusted Indicators
MVT matches traces on your backup against Indicators of Compromise (IOCs) shared by research teams. Load Pegasus IOCs from reputable sources, then verify the checksum of files you download.
Step 5: Run The Scan
For iPhone backups, point mvt-ios to the backup path and your IOCs. For Android, extract logs and databases and run mvt-android with the same indicator set. Save the JSON output and the HTML timeline.
Step 6: Read Results Carefully
MVT marks hits with a severity level. Hits can come from shared domains once used by operators, old log lines, or benign files with matching names. Look for clusters around the same day, hits tied to messaging services, and entries that line up with odd reboots or patch days.
Step 7: Decide Your Next Move
If you see strong signs near the same time window, move sensitive accounts to a new device, rotate passcodes and keys, and contact a lab that handles human rights cases. If results are clean, keep hardening and schedule a follow-up scan after the next system update.
Why Lockdown Mode Matters For High-Risk Users
Lockdown Mode raises the bar by blocking risky attachment types, tightening web tech, and limiting requests. It can blunt fresh exploit chains aimed at iMessage and similar paths. Turn it on before travel, at protests, or during reporting sprints, and leave it on if you’re under targeting.
How To Enable It On iPhone Or iPad
Open Settings → Privacy & Security → Lockdown Mode → Turn On & Restart. Recheck after every major update so new protections are active. See Apple’s step-by-step page on Lockdown Mode for screenshots and platform notes.
Android Hardening Tips That Help
Keep Google Play Protect on. Install updates from the vendor channel. Block sideloading on daily-carry phones. Use a modern browser with site isolation. Cut down on unused messaging apps. Use a dedicated travel device with minimal data and no personal accounts.
Source-Backed Notes On Pegasus Techniques
Investigations have documented zero-click chains hitting iMessage, including the FORCEDENTRY path. That’s why backups and Lockdown Mode are such a strong pairing: one gives visibility, the other reduces attack surface during the next wave.
Checking For Pegasus Spyware With MVT: Practical Run
Prepare Your Analysis Box
Use a fresh user account on macOS, Linux, or WSL. Update Python and pip. Create a virtual environment and install MVT. Keep the machine offline while you copy backups and indicators across. When done, reconnect to fetch any dependency you still need, then go offline again for the scan.
Collect And Stage Artifacts
On iPhone, locate the backup folder and confirm encryption by checking for the Manifest keybag. On Android, pull logs, SMS databases, and the Downloads and messaging caches. Place everything in a read-only directory and clone a working copy for the scan.
Run mvt-ios
Typical flow: mvt-ios decrypt-backup with your password, then mvt-ios check-backup with --iocs and an output path. Add --hints to enrich the timeline and --export-artifacts to save hit files for review.
Run mvt-android
Typical flow: mvt-android check-adb or mvt-android analyze-filesystem with --iocs and an output directory. If you have a logcat dump, include it to catch network beacons and errors around exploit delivery.
Interpret The Output
Read the JSON for each hit. Cross-reference timestamps with your notes on reboots, SMS lures, and patch days. A lone domain hit from years ago is weak. A burst of hits around the same week, tied to messaging services, is stronger. Save your notes with the report folder. If you’re teaching a colleague how to check for Pegasus spyware, share the runbook and mask identifiers in screenshots.
What A Clean Result Means
No tool can promise a verdict, and Pegasus operators change tactics. A clean run says your backup shows no hits against the indicators you loaded. That is good news, but it is not a guarantee. Keep Lockdown Mode on if your threat is real. Keep scanning after big OS releases and after trips or sensitive meetings. Save each report so you can track changes over time.
What A Positive Pattern Means
Multiple hits around the same dates, tied to messaging logs or push services, deserves caution. Move chats to a fresh phone, change carrier SIM or eSIM, and rotate account passwords with a hardware key. Do not restore the old backup to the new device. Ask a lab for a full review and request written findings you can share with counsel or your newsroom if needed.
When To Seek Expert Help
If MVT shows a pattern, do not share screenshots on public timelines. Contact a trusted lab by encrypted email. Ask about safe ways to transfer the backup, keep chain-of-custody notes, and request a written summary. If you face threats, move to a new handset and number before outreach.
Can You Be Safe While Traveling?
Yes. Carry a minimal device with Lockdown Mode on, no personal email, and tight screen-lock rules. Use eSIMs bought on arrival rather than reuse SIMs. Turn off Bluetooth in crowded areas. Power down the phone when not in use. Keep notes on behavior for your next scan.
Second Table: Handy Commands And Where They Run
| Platform | Action | Command Or Place |
|---|---|---|
| iOS | Decrypt backup | mvt-ios decrypt-backup |
| iOS | Check backup | mvt-ios check-backup --iocs pegasus.json |
| iOS | Export artifacts | --export-artifacts |
| Android | ADB live check | mvt-android check-adb --iocs pegasus.json |
| Android | Filesystem analysis | mvt-android analyze-filesystem |
| Both | Save timeline | --output ./reports/ |
| Both | Add hints | --hints |
Care And Feeding Of A Hardened Setup
Update Rhythm
Install vendor patches the day they ship. Set a monthly slot to rescan with fresh IOCs. Keep a running log of device events so you can line up timestamps later.
Messaging Hygiene
Trim your app list. Disable auto-saving of media. Block link previews where you can. Treat odd calls and calendar invites as hazards. Where possible, move sensitive chats to a laptop with a trusted client and fewer attack surfaces.
Account Resets
Refresh the device passcode. Rotate Apple ID or Google password and enable a hardware security key. Renew session tokens by signing out and back in after an OS update.
FAQ-Free Takeaways You Can Act On Now
- Do a clean, encrypted backup to another machine.
- Install MVT on the analysis box; never on the phone.
- Load Pegasus IOCs from trusted researchers and verify checksums.
- Scan, export artifacts, and keep notes beside the report.
- Enable Lockdown Mode if your risk is high, and keep it on while traveling.
- If you see a pattern, move accounts to a new phone and contact a lab.
Final Word On Staying Ahead
Anyone can run this playbook with care. The combo of encryption, MVT runs, and Lockdown Mode gives you detection and risk reduction today. Keep the process handy, and refresh it whenever vendors ship big patches. Keep this how to check for Pegasus spyware routine nearby so you can repeat it after updates again.