mvt

MVT (Mobile Verification Toolkit) is a Python command-line tool for forensic analysis of Android and iOS devices. It was built by Amnesty International's Security Lab in 2021 as part of the Pegasus Project, an investigation into spyware sold by NSO Group that was used to target journalists, activists, and civil society members. The tool automates gathering forensic evidence that can indicate whether a phone has been compromised by spyware.

The toolkit works by scanning a device's backup files or extracted data for known indicators of compromise, which are lists of suspicious file names, domain names, process names, and other markers associated with known spyware campaigns. Amnesty International maintains a public set of these indicators, and MVT supports loading them from a file to compare against what it finds on the scanned device.

There are two main commands: mvt-ios for Apple devices and mvt-android for Android. The tool outputs a structured report of what was found, flagging anything that matches an indicator. Installation is via pip or the uv package manager, and it requires some dependencies that are listed in the documentation.

The README is explicit that this is a tool for technologists and investigators who understand digital forensics, not something designed for regular users to run on their own phones. It also notes that a clean result from MVT does not guarantee a device is safe, since public indicators do not cover all known spyware variants or the most recent attack methods. Comprehensive forensic support for high-risk individuals is available through Amnesty International and partners like Access Now.

The project uses a custom license rather than a standard open-source license, specifically to restrict use to consensual analysis and prevent it from being used to violate someone else's privacy without consent.