Author: Mecapixel
Date: April 2026
Tool: MVT 2.7.0 by Amnesty International's Security Lab
Platform: Windows 11 → iOS Device
Result: ✅ No indicators of compromise detected
This project documents a hands-on mobile security assessment performed on a personal iOS device using Amnesty International's Mobile Verification Toolkit (MVT). The goal was to detect any indicators of compromise (IOCs) from known commercial spyware including Pegasus, Predator, RCS Lab, Stalkerware, KingSpawn, DarkSword, and others.
This is a real-world security hygiene exercise and part of an active cybersecurity portfolio documenting practical skills on the path toward digital forensics and ICAC investigations.
| Spyware | Developer | Notes |
|---|---|---|
| Pegasus | NSO Group (Israel) | Nation-state spyware, zero-click iOS exploits |
| Predator | Intellexa | Mercenary spyware targeting politicians/journalists |
| RCS Lab | RCS Lab (Italy) | Commercial surveillance, Europe/Asia targets |
| KingSpawn | Quadream (Israel) | iOS-targeting commercial spyware |
| NoviSpy | Serbian state | Documented journalist targeting campaign (2024) |
| DarkSword | Unknown | IOCs from 2026 campaign |
| Stalkerware | Various | Consumer tracking apps, domestic abuse vector |
| Cellebrite | Cellebrite (Israel) | Forensic extraction tool indicators |
| Wintego Helios | Wintego | Commercial surveillance platform |
| Coruna | Cryptowaters | Mercenary spyware campaign (2026) |
- Windows 10 or Windows 11
- Python 3.8 or higher
- iTunes (Microsoft Store version or Apple website)
- Microsoft Visual C++ Build Tools
- iOS device with USB cable
- Go to python.org/downloads
- Download the latest version
- Run the installer
⚠️ CRITICAL: On the first screen check "Add Python to PATH" before clicking anything else
Verify install:
python --versionMVT requires this to compile the pyahocorasick dependency (C extension for high-performance string matching).
- Go to visualstudio.microsoft.com/visual-cpp-build-tools
- Click Download Build Tools
- In the installer select "Desktop development with C++" workload only
- Click Install (~129MB)
- Restart your terminal after install completes
Open Command Prompt or PowerShell as Administrator and run:
pip install mvtVerify install:
mvt-ios --versionmvt-ios download-iocsThis downloads the latest spyware indicators from Amnesty International's GitHub. MVT will load them automatically on next run. Re-run this command periodically to stay current.
⚠️ Encrypted backup is required — unencrypted backups exclude sensitive data domains needed for comprehensive scanning.
- Open iTunes and connect your iPhone via USB
- Trust the computer on your phone if prompted
- Click the iPhone icon in iTunes
- Under Backups select This Computer
- Check Encrypt local backup
- Set a strong password — do not forget this, you cannot recover it
- Click Back Up Now
- Wait for completion — check Edit → Preferences → Devices to confirm
Paste this into PowerShell:
cd "$env:USERPROFILE\Apple\MobileSync\Backup\"
dirIf that path doesn't exist, iTunes was installed from Apple's website. Try:
cd "$env:APPDATA\Apple Computer\MobileSync\Backup\" dir
You'll see a folder with a long alphanumeric name — that's your backup. Copy the full name.
mvt-ios decrypt-backup --password YOUR_BACKUP_PASSWORD --destination "C:\Users\[USERNAME]\Desktop\decrypted_backup" "C:\Users\[USERNAME]\Apple\MobileSync\Backup\[BACKUP_FOLDER_NAME]"Replace:
YOUR_BACKUP_PASSWORD— the password you set in iTunes[USERNAME]— your Windows username[BACKUP_FOLDER_NAME]— the folder name from Step 2
Wait for completion. You'll see INFO lines scrolling — this is normal. Took approximately 15-20 minutes on a heavily used device.
mvt-ios check-backup --iocs "C:\Users\[USERNAME]\AppData\Local\mvt\mvt\indicators" --output "C:\Users\[USERNAME]\Desktop\mvt_results" "C:\Users\[USERNAME]\Desktop\decrypted_backup"MVT will scan all modules against 11,000+ spyware indicators. Allow 10-20 minutes to complete.
| Output | Meaning |
|---|---|
INFO ... produced no detections! |
✅ Clean — no IOC matches |
WARNING |
|
DETECTED in any filename in results folder |
🚨 Potential compromise — investigate further |
MVT writes JSON output files to your specified --output folder. Check for any files with DETECTED in the filename — these require immediate attention.
- HTTP redirect warnings — normal website redirects (e.g. ebike.com → bosch-ebike.com) are flagged but not malicious
- Lockdown Mode disabled — this is the default iOS state, not a threat indicator
- WhatsApp no data — appears if WhatsApp is not installed
| Module | Status | Detail |
|---|---|---|
| BackupInfo | ✅ No Detections | 174 apps, device info extracted |
| DataUsage | ✅ No Detections | 327,578 processes analyzed |
| SafariBrowserState | ✅ No Detections | Browser state clean |
| SafariHistory | ✅ No Detections | 3,621 history records — 1 benign redirect |
| TCC Permissions | ✅ No Detections | All permissions from known legitimate apps |
| Shortcuts | ✅ No Detections | 8 shortcuts checked |
| Applications | ✅ No Detections | 174 apps verified |
| Calendar | ✅ No Detections | 179 calendar items clean |
| GlobalPreferences | ✅ No Detections | Lockdown Mode disabled (expected) |
| N/A | Not installed |
Total indicators checked: 11,209
Detections: 0
Based on this assessment and general mobile security best practices:
- Keep iOS updated — most known spyware exploits unpatched vulnerabilities
- Restart your phone weekly — some spyware cannot survive reboots
- Consider Lockdown Mode — Settings → Privacy & Security → Lockdown Mode (recommended for elevated threat profiles)
- Audit app permissions — review microphone, camera, and location access regularly
- Use Signal for sensitive communications
- Monitor background data usage — unexpected spikes can indicate exfiltration
- Re-run MVT quarterly — new IOCs are added as new campaigns are discovered
├── README.md # This file
├── MVT_Security_Assessment_Report.docx # Full technical report
└── sample_output/ # Example of clean scan output (redacted)
This assessment was performed on a personally owned device for security hygiene purposes. Results reflect known, publicly documented IOCs only. MVT itself notes that public indicators will not detect the most advanced nation-state attacks using unknown infrastructure.
"Using MVT with public indicators of compromise (IOCs) WILL NOT automatically detect advanced attacks." — MVT Project
If you have serious concerns about a possible spyware attack, contact Amnesty International's Security Lab at securitylab.amnesty.org/get-help.
- MVT Official Site
- MVT GitHub Repository
- Amnesty International Security Lab
- iOS Lockdown Mode
- NSO Group Pegasus Investigation — Amnesty Tech
Part of the Mecapixel cybersecurity portfolio — OSCP track | Digital Forensics | Python