How to use MVT to find out if your phone has been hacked

  • MVT looks for specific indicators of advanced spyware, not common malware.
  • On Android, it relies on ADB; on Windows, it requires WSL and a USB bridge.
  • The results must be interpreted: green progress, yellow warning, red failure.
Andy Acosta

11 minutes

MVT tool to detect spyware on mobile phones

Android, like any other operating system, coexists with risks such as malware and, above all, advanced spyware. capable of spying on communications, locations, and files without raising suspicion. In recent years, names like Pegasus have uncovered a disturbing scenario: the phones of journalists, activists, and public figures compromised using high-level techniques that leave barely a trace.

Checking whether a mobile phone has been compromised is no longer the preserve of forensic teams.The Mobile Verification Toolkit (MVT), published by Amnesty International's Security Lab, brings this analysis to users with a certain degree of technical proficiency. It's not an antivirus, but rather a forensic kit designed to look for very specific indicators of compromise. Below, we explain what it detects, how to install it, how to use it on Linux and Windows with WSL, how to interpret its results, and what to expect from its verdict.

What is MVT and what exactly does it detect?

Mobile Verification Toolkit (MVT) is a collection of open source forensic tools created by Amnesty International's Security Lab. Its goal is not to find common viruses or banking Trojans, but to search for Specific Threat Indicators (IoCs) associated with sophisticated spyware on Android and iOS.

These IoCs function as digital fingerprints.: Paths, domains, system artifacts, log entries, or patterns that indicate known surveillance activity. MVT compares what it retrieves from the device with STIX2-formatted indicator lists maintained by the research community.

Main capabilities of MVT depending on the platform and available artifacts:

  • iOS: Decrypt encrypted backups, process and analyze system logs and app data, generate timelines, and separate suspicious traces.
  • Android: Extract list of apps and APKs, retrieve diagnostic information via ADB, analyze SMS and other available artifacts, compare all of them with known IoCs.
  • Structured exit: JSON log generation, unified timeline reporting, and filtered listing of potentially malicious artifacts.
  • IoCs Database downloadable and updatable to contrast findings.

Important: MVT does not replace antivirus software and does not detect common Android threats such as adware, phishing, or financial Trojans. It is designed for advanced spyware cases and its coverage is, by design, limited to known indicators.

Signs, limits and realistic expectations

MVT power varies between platformsThere are many more forensic traces accessible on iOS than on Android, so its effectiveness is generally greater on iPhone. On Android, MVT focuses on what it can extract without root: APKs, SMS, system properties, among others.

The MVT verdict uses color codes which should be interpreted calmly:

  • Green: : Progress and normal operations. The analysis is progressing without any significant incidents.
  • Yellow (warning): A finding that requires interpretation. It could be a strange SMS link or a process anomaly; it does not confirm infection on its own.
  • Red: A technical error in the tool or extraction (e.g., a corrupted backup). This does not necessarily imply compromise.

Antivirus protection.

What MVT can and can't tell you: A clean result means that no IoCs were found from your database; does not certify the total absence of threats. It does not detect common malware, nor does it cover all possible variants.False positives can also occur, which require judgment and, sometimes, professional advice.

Legal and ethical: According to its license, MVT must be used with the consent of the person who owns the device. The tool was created to defend civil society and support research., not for adverse forensic analysis.

Requirements and preparation of the environment

Before starting, make sure you have the essentials:

  • An Android device and a USB data cable (USB-C or applicable).
  • A computer running Linux (recommended) or Windows 10/11On Windows we will use WSL to run MVT in a Linux environment.

Installing MVT from PyPI or source code. The most direct route is PyPI:

pip3 install mvt

Installing from the repository if you prefer to compile:

git clone https://github.com/mvt-project/mvt.git
cd mvt
pip3 install .

Practical recommendation: Creating a Python virtual environment avoids dependency conflicts. On a distro like Ubuntu:

sudo apt update && sudo apt upgrade -y
sudo apt install python3 python3-pip python3-venv -y
mkdir mvt-project && cd mvt-project
python3 -m venv mvt-env
source mvt-env/bin/activate
pip install mvt
mvt-android download-iocs

The command to download IoCs Load the database of indicators that MVT will use to contrast findings in your analysis.

Prepare your Android phone

Man using a cell phone.

Enable developer options and USB debugging so that ADB can communicate with the phone:

  • Open Settings > About phone > Software information and tap 'Build number' 7 times.
  • Go back to Settings, go to 'Developer options' and enable 'USB debugging'.

Connect the mobile to the computer and accept the ADB key fingerprint prompt by checking 'Always Allow' if you want to repeat the scan without further confirmations.

Analysis from Linux: the most direct route

On Linux, the flow is simpler because you don't have to create an additional USB bridge like in Windows.

  • Install ADB if you don't have it: sudo apt install android-tools-adb -y
  • Connect the phone via USB and allows on-screen debugging when requested.
  • Check the connection with: adb devices (should list your device with status device).
  • Run the analysis from your virtual environment: mvt-android check-adb -o ./analysis_results/

MVT may request your intervention in some phases (for example, to create an SMS backup). Pay attention to the notifications on the device and on the mobile screen.

Scanning from Windows with WSL

On Windows, the recommendation is to use WSL with an Ubuntu distro. Additionally, you need to create a USB bridge from Windows to WSL.

  • Install ADB on WSL: sudo apt install android-tools-adb -y
  • Install usbipd-win on Windows from PowerShell with administrator permissions: winget install –interactive –exact dorssel.usbipd-win

Configure dependencies on Ubuntu To be able to use USB forwarding:

sudo apt install linux-tools-generic hwdata
sudo update-alternatives --install /usr/local/bin/usbip usbip /usr/lib/linux-tools/*-generic/usbip 20

Manage USB devices from PowerShell (replace the identifier with your mobile phone's):

usbipd list
usbipd bind --busid TU_ID --force
usbipd attach --wsl --busid TU_ID

Check the connection in Ubuntu and launches the analysis:

adb devices
mvt-android check-adb -o ./resultados_analisis/

If everything is ok, MVT will start extracting artifacts and compare them with the downloaded IoCs, saving the results in the folder you have indicated.

How to interpret MVT results

Android 16 Security: All About Advanced Protection Mode-6

Terminal output mixes progress messages with partial summariesIt's common to see modules that can't be explored without root (for example, the history of certain apps), something the tool itself advises against doing on a device used every day.

Real example of an analysis: loading a database with 10.752 IoCs, reviewing running processes (967) and system properties (1.553), correctly identifying the model and network, and interactively requesting to backup and read SMS. After that, the final message can be produced no detections!, Indicating that No traces linked to known IoCs have been found.

Remember the semantics of colorsGreen is normal; yellow requires human analysis; red is usually a technical failure, not confirmation of infection.

What to do when receiving a warningReview specific artifacts (URLs, processes, packages). Compare dates, context, and whether it corresponds to your usual usage. If you have serious doubts, seek specialized help.

Pegasus: What it is, how it works, and why it's so hard to see.

Pegasus is a government-grade spyware developed by NSO Group, sold to state agencies for security purposes.Its sophistication has been demonstrated in multiple investigations and media cases.

Routes of infection known or documented by researchers:

  • Remote installation over the air (zero-click): The target doesn't need to interact; a push message or zero-day exploit triggers the infection chain without any visible alerts.
  • Social engineering: SMS or email containing a malicious link that induces clicks; after accessing the link, the Pegasus payload is silently executed.
  • Physical installation: With access to the terminal, the infection can be completed in minutes and then operated remotely.

What data can be collected Once inside: SMS, emails, chats (even encrypted apps), calendar logs, browsing history, geolocation, device information, screenshots, photos, microphone and call recordings, as well as activating and deactivating sensors at will.

Pegasus minimizes its footprint: Uses an encrypted buffer that doesn't exceed approximately 5% of storage and eliminates traces after exfiltration. It also modulates activity to save battery life and reduce suspicious signals.

Cases and context: Targets have been documented in multiple countries and profiles (journalists, activists, politicians, and executives). In Spain, Intrusions into the mobile phones of the Prime Minister and the Minister of Defense have been recognized.The case of the CEO of a large technology company was also investigated after receiving a file via courier. There was even a UN policy that advised its senior officials against using certain messaging apps for its history of exploitation in real campaigns.

Cost and business modelVarious leaks and reports indicate high installation fees and prices for objective packages, with annual maintenance fees representing significant percentages of the contract.

Other detection tools and resources

Android

MVT is not the only way to investigate clues, but it is the main open and free option aimed at researchers and advanced users.

  • iVerify (iOS): A commercial solution with a graphical interface, periodic scans, hardening guides, and alerts for signs of jailbreak or infection. It offers a single-payment plan and enterprise options. It is not available for Android today. and cannot guarantee total protection, just like any tool in the sector.

Keep in mind Unlike MVT, these apps are not always designed for detailed forensic analysis, but rather for security hygiene and continuous monitoring of the device.

Other high-level spyware that has come to light

The market is not limited to a single companyOther families with similar surveillance capabilities have emerged:

  • FinFisher / FinSpy: A cross-platform solution (Windows, macOS, Linux, iOS, and Android) aimed at law enforcement. It can intercept encrypted messages and record VoIP calls. On iOS, it typically requires a jailbreak or exploit.
  • Candiru: linked to operations against computers, mobile phones, and cloud services, with extensive data collection and modules to intercept communications and take control of sensors.
  • Intellexa: An ecosystem of cyber intelligence tools that combines endpoint and cloud data collection, network surveillance, and big data analytics into a package marketed to government customers.

These suites share common features: vulnerability exploitation, covert exfiltration, and sensor control modules, making detection difficult without methodical analysis and proper forensic artifacts.

Good practices to reduce risk and act on suspicions

Prevention and attack surface reduction remain key for users and organizations, even when we are talking about such advanced threats.

  • Update the system and apps as soon as patches are available. Many campaigns rely on newly discovered vulnerabilities.
  • Validates links and senders in SMS, messaging, and email. Avoid opening shortened URLs or unexpected attachments, even if they come from known contacts.
  • Check paired devices on your messaging and cloud service accounts, and remove unknown logins.
  • Change passwords and enable two-step authentication, especially on critical accounts.
  • Periodic reboot on iOS may temporarily stop the activity of certain limited persistence threats.
  • Factory reset This may be an extreme measure; remember, it erases your data and doesn't guarantee the elimination of highly persistent threats.
  • Harden your setupThere are radical recommendations, such as disabling iMessage and FaceTime if your risk profile warrants it; also, consider a reliable VPN if your primary threat is tracking on unsafe networks.

Faced with a serious indication (consistent alerts, strange communications, anomalous behavior), coordinate with specialists. One misstep can destroy valuable evidence for a formal investigation.

MVT brings serious forensic analysis to technical users. and, used judiciously, allows you to review SMS, apps, processes, and system properties to find IoCs of known campaigns. Its limits are clear (doesn't detect common malware, stronger iOS coverage, warnings that need to be interpreted), but it provides a solid basis for gathering clues and making decisions. With good practices, constant updates and common sense, you'll reduce your exposure while having a concrete tool to verify suspicions on your device.