How to Detect Pegasus Spyware on Your Phone: Simple Guide

PDF download Download Article
Surefire ways to spot a Pegasus spyware infection on your device
PDF download Download Article

Pegasus is a sophisticated spyware application that steals sensitive information without the target knowing they have been attacked. Experts at Amnesty International estimate that roughly 50 thousand devices have been infected with Pegasus since 2021.[1] Unfortunately, due to its sophistication, Pegasus can be extremely difficult to detect. If you are worried that you have Pegasus on your Android, you can use MVT, a free tool designed by Amnesty International's Security Lab, to scan your phone. On an iPhone, you can use a similar tool offered by iMazing. This wikiHow article will teach you the signs your phone is infected with Pegasus spyware and how to scan your Android or iPhone for Pegasus using your computer.

Detecting Pegasus Spyware

MVT is a program developed by Amnesty International to detect Pegasus on Android and iPhone. It is developed for Linux, but you can also use it on a Mac through Homebrew or on Windows using a Windows Subsystem for Linux. iMazing has a simplified version of this tool for iPhone.

Section 1 of 4:

General Signs of Pegasus Spyware

PDF download Download Article
  1. Look for general signs of spyware. Normally, when your phone is infected with spyware, you may notice it is running more slowly than usual or getting hot for no reason. You may also note that your battery is draining rapidly and you are using more data than usual, even though your browsing habits haven’t changed. You may also have a hard time logging into secure websites, or being redirected to websites you didn't intend to visit.[2]
    • Unlike less sophisticated spyware, Pegasus is difficult to detect. In most cases, you won't notice any signs of infection at all.
    • Phishing is one way Pegasus can be installed on an unsuspecting user’s phone. If you’ve received any emails or text messages that redirect you to another website, you may be the target of Pegasus or other spyware.
    • Amnesty International keeps a list of Pegasus attacks, the day they happened, as well as a list of web addresses, email addresses, and phone system processes associated with Pegasus attacks. You can view their complete list here and see if anything in this list appears in your phone system, email, or browser history.[3]
    2. Advertisement
Section 2 of 4:

Detecting Pegasus on iPhone

PDF download Download Article
  1. Step 1 Download and install iMazing’s Spyware Analyzer tool.
    Software developers iMazing have set up an easy way for iPhone owners to scan for Pegasus spyware. To download and install it, go to the iMazing Spyware Analyzer download page in a web browser and click Download iMazing. It’s available for Windows and Mac. Once it is downloaded, open the installation file in your Downloads folder and follow the prompts. [4]
    • iMazing offers a paid version, but its free trial includes the spyware detection tool without a time limit or restriction.
    • iMazing's tool emulates the original Mobile Verification Kit from Amnesty International. Amnesty's tool requires prior configuration in macOS or Linux, but iMazing's tool brings these features to your iPhone.
  2. Step 2 Connect your iPhone or iPad to your computer.
    Use the USB cable that came with your phone or tablet, or a compatible replacement.
    • If you have previously backed up your device to iMazing, you can scan that backup without connecting a device.
    • When you connect your device for the first time, you may need to tap Trust on your iPhone or iPad to trust the computer.
  3. Step 3 Launch iMazing and select your iPhone.
    The application should detect your phone immediately. You will have to enter your phone's passcode to complete the pairing process.
    • Make sure your phone is unlocked while pairing it with iMazing.
    • Make sure you have an internet connection on both devices.
    • You should see your device in the menu bar to the left. If it is not selected, click Devices in the menu panel to the left and select your device.
  4. 4
    Open the Spyware Analyzer. To do so, click Tools in the menu bar to the left. Then click Spyware Analyzer.
  5. Step 5 Follow the on-screen instructions to select your preferences.
    iMazing will provide you with some information. Click Next to proceed to configuration, where you can accept the default settings and click Next again.
    • The configuration page allows you to choose between a .csv and an .xlsx file for your exported report. The default “.csv” should be fine, but you can choose “xlsx” if you would rather download it as an Excel spreadsheet.
  6. 6
    Back up your encryption or select a backup. Next, you will be asked if you want to back up your encryption. Click Next to continue. Alternatively, you can click Backup Location and select a backup on your computer that you want to use as your default backup location. Click Next to continue.
  7. 7
    Agree to the disclaimers and click Start Analysis to start the scan. Click the checkbox below the “Consensual Use Only” disclaimer and the “Important Disclaimer," then start the analysis.
    • You may need to enter your device password to unlock your device.
    • If you choose to create a backup, iMazing will carry that process out first, which may take a while depending on your device's storage.
  8. Step 8 Click Open Report to review your results.
    Once the scan is done, a pop-up will report the scan's findings. A clean scan will include the phrase No signs of infection detected. If iMazing detects spyware, it will say Possible infection detected.[5]
    • If you have a clean scan, you do not need to open your report. While false positives can happen, false negatives are not a concern.
    • Pay particular attention to the Malware column and search for the term Pegasus.
    • If you do not see any of the detected malware labeled as Pegasus, you do not have to worry about Pegasus spyware. Of course, you should still work to rid your device of any detected malware.
  9. Step 9 Send your report to iMazing to check for false positives.
    You can send the report to imazing.com/contact. The developer promises to get back to you quickly.[6]
    • If iMazing confirms your positive scan, they will connect you with the help needed to clean your device. Keep in mind their tool is purely a detection service.
    • While waiting for a response from iMazing, you may continue to use your device, but you should refrain from communicating with others to not expose them to the malware.
    10. Advertisement
Section 3 of 4:

Detecting Pegasus on Android

PDF download Download Article
  1. Step 1 Visit the MVT...
    Visit the MVT GitHub page to learn about the tool. If you want to know if Pegasus is on your Android phone, you will have to use the official detection tool from Amnesty International. This tool is designed for forensics experts and is only available for Linux and macOS, though Windows users can use it with Windows Subsystem for Linux. There's no graphical user interface, so you'll need to use the Terminal on Mac and Linux or PowerShell on Windows.
    • You won't see any obvious "You have Pegasus!" notifications. However, you can use this tool to gather evidence that will be useful to share with experts.
    • The Amnesty MVT can only offer limited insights on Android devices, as Android devices do not store as much diagnostic information as iPhones.[7]
  2. 2
    Install Windows Subsystem for Linux (Windows only). MVT is not officially supported on Windows; however, Windows users can install Windows Subsystem for Linux (WSL), which will install a Linux environment within Windows. You can use this to run MVT on your Windows computer. Use the following steps to install WSL on Windows:[8]
    • Click the Windows Start menu.
    • Type powershell.
    • Right-click PowerShell and click Run as Administrator.
    • Type wsl –install.
    • Restart your computer and open a PowerShell window.
    • Type wsl.exe –list –online to view the available Linux distributions
    • Type wsl.exe –install <distribution name> to install a specific distribution. Enter wsl.exe –install ubuntu to install Ubuntu (recommended).
    • Follow the prompts to create a username and password.
    • To access Linux, open PowerShell, type WSL, and press Enter. Alternatively, you can find your Linux distribution in the Windows Start menu.[9]
  3. Step 3 Install Xcode and Homebrew (Mac Only).
    If you already have these tools installed, you can skip this step. Use teh following steps to install Xcode and Homebrew:
    • Search for Xcode in your Mac’s App Store and install it.
    • Open the Terminal in your Utilities folder or Spotlight/Magnifying Glass icon.[10]
    • Type t/bin/bash -c "$(curl -fsSL [11] )" and press Return.[12]
    • Type export PATH="/usr/local/opt/python/libexec/bin:$PATH" and press Return.
  4. 4
    Open a Terminal window. Use one of the following commands to do so:
    • Linux: Press Ctrl + Alt + T to open the Terminal.
    • Mac: Click the magnifying glass icon in the upper-right corner. Then enter “Terminal” in the search bar. Click the Terminal icon.
    • Windows: Open a PowerShell window, type wsl, and press Enter. Alternatively, you can click the Linux distribution you installed in the Windows Start menu.
  5. Step 5 Download and install Python.
    You will need Python 3.6 or later installed on your computer to run MVT. Use the following steps to install it within the Terminal:
    • Linux & Windows: Check your Python version by running python at the prompt. If it's an older version, use sudo apt-get install python (Ubuntu) or sudo yum install python (Redhat/Fedora) to update.
    • Mac: The version of Python that comes with macOS is dated, so run the command brew install python to get the latest version.
  6. This contains the tools you'll need to interact with your Android, including adb (Android Debug Bridge). Use one of the following steps to download and install it:
  7. Step 7 Install the dependencies.
    We need to install some basic dependencies that will allow us to run MVT.
    • Linux & Windows:
      • Type sudo apt install python3 python3-pip libusb-1.0-0 sqlite3 and press Enter.
      • For Ubuntu 23.04 and above, run sudo apt install pipx and press Enter. Then type pipx ensurepath and press Enter.
      • For Ubuntu 22.04 and below, type python3 -m pip install --user pipx and press Enter. Then type python3 -m pipx ensurepath and press Enter.
    • Mac: Type brew install python3 libusb sqlite3 and press Enter.
  8. 8
    Install MVT. To do so, type bash pipx install mvt into a Terminal window and press Enter.
  9. Step 9 Enable debugging on your Android.
    If you haven't already done so, open your Android's Settings, tap About phone, then tap "Build Number" 7 times.[14] Tap the back button, and you'll now see a menu called "Developer Options."[15] Once enabled, you can turn on USB debugging:
    • In your Settings, go to Developer Options (it may be under System > Advanced on some devices).
    • Tap the toggle switch next to “USB Debugging.”
  10. Step 10 Connect your Android to your PC with a USB cable.
    Ensure your device is unlocked and connected to the internet. When prompted on your Android, select Trust. Once your Android device is connected, open a Terminal window and type abd devices and press Enter.
    • MVT can only analyze SMS messages containing links, but these tend to be the most high-risk messages anyway.[16]
    • MVT may request some extra permissions to scan parts of your device, but this would require you to root your device, which would only further expose your device to malware. Simply deny these permissions and accept the available scan.
  11. Step 11 Type mvt-android download-iocs and press Enter.
    With the MVT installed, Python can now interpret its commands. This command downloads files ending with the .stix2 file extension and saves them to the app directory.[17]
    • Run the ls -a command to find the files if you're not sure where they are. You'll need to specify the path to your .stix2 file to check for Pegasus.
  12. Step 12 Type mvt-android check-adb --iocs /path/to/stix.file --output /path/to/results and press Enter.
    This command will use all of MVT's options to check your Android over USB using the debug bridge, which can take a while.
    • As data is compared to the specified .stix file, results will be recorded to the specified results folder. Possible matches will be indicated with a "WARNING" message, though the warnings may indicate spyware other than Pegasus.
    • If you don’t want to scan your entire Android, run mvt-android without any arguments to see which individual options are available. But if you're really concerned, just run through all of the checks with mvt-android.
    13. Advertisement
Section 4 of 4:

Frequently Asked Questions

PDF download Download Article
  1. 1
    Who is a Target of Pegasus? Pegasus is typically licensed to governments and intelligence agencies. Its stated purpose is to fight crime and terrorism. However, it has also been confirmed to have been used against journalists, media organizations, activists, and politicians.[18] The average person is unlikely to have Pegasus installed on their phone. However, if you are a high-level activist, journalist, or politician (especially in the opposition party), or you are involved in crime or terrorism, you may be the victim of a Pegasus attack.[19]
  2. 2
    What is Pegasus? Pegasus is a sophisticated spyware tool developed by NSO Group in Israel. Governments and intelligence agencies typically use it for the purpose of fighting crime and terrorism. However, it has been found on the phones of activists, journalists, and politicians. Unlike other spyware apps, Pegasus can be extremely hard to detect.[20]
  3. 3
    How is Pegasus installed? There are several ways Pegasus can be remotely installed on a target's phone without the target knowing. The following are some common methods:[21]
    • Zero-click attacks: This is the most common way Pegasus is used to infect a target’s phone. They leverage exploits in apps that are unknown to the developer as a means of delivering the attack. The target’s phone is infected without them having to click or download anything. Common apps Pegasus has been known to exploit include iMessage and Apple Music.[22]
    • Phishing: The target is sent an email or text message with a link to a website. The website is usually a decoy website, designed to look like an official website. Once the target taps on the link, Pegasus can be installed.
    • Network Injections: These happen when an attacker intercepts network data being sent to your device and replaces it with malicious packets that can be used to install Pegasus. They may be done using data from a specific app or by connecting to your Wi-Fi network.[23]
    • In person: If someone has accessed your phone without your knowledge or permission, they may have been able to install Pegasus on your device manually.
  4. 4
    What data can Pegasus access? Pegasus can access a wide range of data, including the following:
    • Text Messages
    • Emails
    • Contacts
    • Photos and Videos
    • Locations
    • Audio Messages
    • Recordings
    • Camera Data
  5. 5
    Can Pegasus be removed? Pegasus can be very difficult to remove. You may be able to remove it by factory-resetting your device, but this is no guarantee. You may need the aid of a digital forensic specialist. Your best course of action is to replace your phone. If you restore your phone from a backup, make sure you use a backup from before the attack took place.
  6. 6
    What should I do if my phone is infected with Pegasus? The first thing you should do is to power off the infected device and factory-reset it. Keep it away from you, your work, or any sensitive data. Replace the phone as soon as possible. Change your password on all your accounts and make sure you are using two-factor authentication. Replace the infected device as soon as possible and dispose of it. If you restore your new device from a backup, make sure you use a backup from before the attack.
    7. Advertisement


Expert Q&A

Ask a Question
200 characters left
Include your email address to get a message when this question is answered.
Submit
Advertisement

Video

Tips

Submit a Tip
All tip submissions are carefully reviewed before being published
Name
Please provide your name and last initial
Submit
Thanks for submitting a tip for review!

You Might Also Like

Spyware on iPhoneIs There Spyware on Your iPhone? What You Need to Know
Find Hidden Spy Apps on Android
How to
Find Hidden Spy Apps on an Android Phone
Detect Malware on Android
How to
Detect Malware on Android
Know if You Have Spyware on Your Computer
How to
Know if You Have Spyware on Your Computer
Check if an iPhone Has a VirusWhat to Do If You Think Your iPhone Has a Virus or Malware
Know if Your Phone Has a Virus
How to
Tell If Your Phone Has a Virus and What Steps to Take
Detect Malware on an iPhoneMalware on iPhone: Signs of Infection & How to Get Rid of It
Jailbreak Your Phone
How to
Jailbreak Your Phone
Detect Ransomware on iPhone or iPad
How to
Detect Ransomware on iPhone or iPad
Remove Malware
How to
Remove and Prevent Malware on a Computer
Tell if Your Phone Is Being Tracked
How to
Tell if Your Phone Has Been Tapped
Does Mac Have a Built in Virus ScannerDo Macs Have a Built-In Virus Scanner? And Do You Really Need Antivirus Software?
Tell if Your Phone Is Tapped
How to
Tell If Your Phone Is Tapped: Telltale Signs + Fixes
Detect a Phone Virus on Samsung GalaxyDetect a Phone Virus on Samsung Galaxy: Signs, Scans, & More
Advertisement

References

  1. https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
  2. https://www.bitdefender.com/en-us/blog/hotforsecurity/pegasus-spyware-what-it-is-and-how-to-protect-yourself
  3. https://securitylab.amnesty.org/case-study-the-pegasus-project/
  4. https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone
  5. https://imazing.com/guides/detect-pegasus-and-other-spyware-on-iphone
  6. https://support.imazing.com/hc/en-us/requests/new
  7. https://docs.mvt.re/en/latest/android/methodology/
  8. https://www.theverge.com/2021/7/21/22587234/amnesty-international-nso-pegasus-spyware-detection-tool-ios-android-guide-windows-mac
  9. https://learn.microsoft.com/en-us/windows/wsl/install
  1. https://support.apple.com/guide/terminal/open-or-quit-terminal-apd5265185d-f365-44cb-8b09-71a064a42125/mac
  2. https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh
  3. https://brew.sh/
  4. https://docs.mvt.re/en/latest/install/
  5. https://developer.android.com/studio/debug/dev-options
  6. https://www.samsung.com/us/support/answer/ANS00087642/
  7. https://github.com/mvt-project/mvt/blob/main/docs/android/backup.md
  8. https://docs.mvt.re/en/latest/iocs/
  9. https://ijclinic.law.uci.edu/clipping-pegasuss-wings/basics-of-pegasus/
  10. https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
  11. https://www.aljazeera.com/news/2022/2/8/what-you-need-to-know-about-israeli-spyware-pegasus
  12. https://ijclinic.law.uci.edu/clipping-pegasuss-wings/basics-of-pegasus/
  13. https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html
  14. https://www.belkin.com/support-article/?articleNum=8455

About This Article

Luigi Oppido
Reviewed by:
Luigi Oppido
Computer & Tech Specialist
This article was reviewed by Luigi Oppido and by wikiHow staff writer, Travis Boylls. Luigi Oppido is the Owner and Operator of Pleasure Point Computers in Santa Cruz, California. Luigi has over 25 years of experience in general computer repair, data recovery, virus removal, and upgrades. He is also the host of the Computer Man Show! broadcasted on KSQD covering central California for over 7 years. This article has been viewed 246,848 times.
How helpful is this?
Co-authors: 4
Updated: March 30, 2026
Views: 246,848
Categories: Computer Virus Protection
In other languages
Thanks to all authors for creating a page that has been read 246,848 times.

Is this article up to date?

Advertisement