How to check Pegasus Spyware on your iPhone

A recent report by The Pegasus Project, a consortium of non-profit organizations and various journalists, claimed to have discovered a leak of 50.000 phone numbers that likely belong to users who might be victims of the Pegasus spyware, developed by the Israeli technology firm NSO.

Amnesty International, part of the group, has released a tool to check if your phone has been affected, called Mobile Verification Toolkit, or MVT.

In this post we will look steps for analyze a iPhone using a Linux machine.

The MVT tool can be easily installed from GitHub [2] repository:

git clone https://github.com/mvt-project/mvt.git
cd mvt
pip3 install 

However, you also need to resolve some dependencies:

$ sudo apt install python3 python3-pip libusb-1.0-0

In order to analyze an iOS device we need to collect metadata from filesystem: after, this data can be analyzed with MVT.


Currently, two acquisition methodology has available: “Backup” and “Filesystem Dump“.



Backup

More simple and available on all devices, also ‘non-jailbroken‘ devices.
While backups only provide a subset of the files stored on the device, in many cases it might be sufficient to detect some suspicious ‘Pegasus’ artifacts.

On Linux system, you can perform a backup using libimobiledevice [5], that can be installed (on Debian/Ubuntu) using the following commands:

$ sudo apt install usbmuxd libimobiledevice6 libimobiledevice-utils ideviceinstaller

Then you can connect the iPhone to the usb port on your forensic workstation and accept the pair request on device.

Finally, start pairing process:

$ idevicepair pair
SUCCESS: Paired with device c878879d96a910457a3007098693feee2d5XXXXXX

Now, you can start the backup process. In order to collect more information useful to identify Pegasus activities, i suggest to enable backup encryption (encrypted backup contain more data than unencrypted backups):

$ idevicebackup2 backup encryption on
$ idevicebackup2 backup --full ~/iOSBackup/

Once the backup process is complete, you can start the analysis using the mvt-ios tool.

First, you need to decrypt the backup:

mvt-ios decrypt-backup -p password -d  ~/iOSBackupDecrypted ~/iOSBackup/

Them, you need to start the artifatcs extraction:

mvt-ios check-backup --output ~/MVTOutputs ~/iOSBackupDecrypted/udid/

This command will create a few JSON files containing the results from the extraction.


Filesystem Dump

In order to perform a full filesystem acquisition, please refers to my previous post: iOS Forensic: full disk acquisition using checkra1n jailbreak.

Once the acquisition process is completed, you can start the analysis process using mvt-ios:

mvt-ios check-fs /path/to/filesystem/dump/ --output /path/to/output/

Records extracted by mvt-ios

All artifacts extracted by mvt-ios can be analyzed against the Pegasus IoC list [4] published by “Pegasus Project”.

The extracted data includes:

  • cache_files.json: records from all SQLite database files stored on disk with the name Cache.db. These databases typically contain data from iOS’ internal URL caching. (Only available on Full Filesystem dump)
  • calls.json: records from a SQLite database located at /private/var/mobile/Library/CallHistoryDB/CallHistory.storedata, which contains records of incoming and outgoing calls, including from messaging apps such as WhatsApp or Skype.
  • chrome_favicon.json: records from a SQLite database located at /private/var/mobile/Containers/Data/Application/*/Library/Application Support/Google/Chrome/Default/Favicons, which contains a mapping of favicons’ URLs and the visited URLs which loaded them.
  • chrome_history.json: records from a SQLite database located at /private/var/mobile/Containers/Data/Application/*/Library/Application Support/Google/Chrome/Default/History, which contains a history of URL visits.
  • contacts.json: records from a SQLite database located at /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb, which contains records from the phone’s address book.
  • firefox_favicon.json: records from a SQLite database located at /private/var/mobile/profile.profile/browser.db, which contains a mapping of favicons’ URLs and the visited URLs which loaded them.
  • firefox_history.json: records from a SQLite database located at /private/var/mobile/profile.profile/browser.db, which contains a history of URL visits.
  • id_status_cache.json: records from a plist file located at /private/var/mobile/Library/Preferences/com.apple.identityservices.idstatuscache.plist, which contains a cache of Apple user ID authentication. This chance will indicate when apps like Facetime and iMessage first established contacts with other registered Apple IDs.
  • interaction_c.json: records from a SQLite database located at /private/var/mobile/Library/CoreDuet/People/interactionC.db, which contains details about user interactions with installed apps.
  • locationd_clients.json: records from a plist file located at /private/var/mobile/Library/Caches/locationd/clients.plist, which contains a cache of apps which requested access to location services.
  • manifest.json: records from the SQLite database Manifest.db contained in iTunes backups, and which indexes the locally backed-up files to the original paths on the iOS device.
  • datausage.json: records from a SQLite database located /private/var/wireless/Library/Databases/DataUsage.sqlite, which contains a history of data usage by processes running on the system.
  • netusage.json: records from a SQLite database located /private/var/networkd/netusage.sqlite, which contains a history of data usage by processes running on the system. (Only available on Full Filesystem dump)
  • safari_browser_state.json: records from the SQLite databases located at /private/var/mobile/Library/Safari/BrowserState.db or /private/var/mobile/Containers/Data/Application/*/Library/Safari/BrowserState.db, which contain records of opened tabs.
  • safari_favicon.json: records from the SQLite databases located at /private/var/mobile/Library/Image Cache/Favicons/Favicons.db or /private/var/mobile/Containers/Data/Application/*/Library/Image Cache/Favicons/Favicons.db, which contain mappings of favicons’ URLs and the visited URLs which loaded them. (Only available on Full Filesystem dump)
  • safari_history.json: records from the SQLite databases located at /private/var/mobile/Library/Safari/History.db or /private/var/mobile/Containers/Data/Application/*/Library/Safari/History.db, which contain a history of URL visits.
  • sms.json: list of SMS messages containing HTTP links from the SQLite database located at /private/var/mobile/Library/SMS/sms.db.
  • sms_attachments.json: details about attachments sent via SMS or iMessage from the same database used by the SMS module.
  • version_history.json: records of iOS software updates from analytics plist files located at /private/var/db/analyticsd/Analytics-Journal-*.ips. (Only available on Full Filesystem dump)
  • webkit_indexeddb.json: list of file and folder names located at the following path /private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/IndexedDB, which contains IndexedDB files created by any app installed on the device. (Only available on Full Filesystem dump)
  • webkit_local_storage.json: list of file and folder names located at the following path /private/var/mobile/Containers/Data/Application/*/Library/WebKit/WebsiteData/LocalStorage/, which contains local storage files created by any app installed on the device. (Only available on Full Filesystem dump)
  • webkit_safari_view_service.json: list of file and folder names located at the following path /private/var/mobile/Containers/Data/Application/*/SystemData/com.apple.SafariViewService/Library/WebKit/WebsiteData/, which contains files cached by SafariVewService. (Only available on Full Filesystem dump)
  • webkit_session_resource_log.json: records from plist files with the name full_browsing_session_resourceLog.plist, which contain records of resources loaded by different domains visited.
  • whatsapp.json: list of WhatsApp messages containing HTTP links from the SQLite database located at /private/var/mobile/Containers/Shared/AppGroup/*/ChatStorage.sqlite. (Only available on Full Filesystem dump)

References

  1. Forensic Methodology Report: How to catch NSO Group’s Pegasus
  2. https://github.com/mvt-project/mvt
  3. iOS Forensic: full disk acquisition using checkra1n jailbreak
  4. NSO Group Pegasus Indicator of Compromise
  5. iOS Forensics: how to perform a logical acquisition with libimobiledevice

Related posts

  1. Cybersecurity Roundup #19
  2. iOS Forensics: how to perform a logical acquisition with libimobiledevice
  3. How smartphones reacts to IMSI catching attacks?
  4. How many data are shared by iOS and Android telemetry?
  5. How to reduce your Digital Footprint, part 1: Web Browsers and Extensions