# Amnesty MVT (Mobile Verification Toolkit)

> Open-source forensic toolkit from Amnesty International's Security Lab. Scans iOS and Android backups for traces of Pegasus and other mobile spyware. The tool the Pegasus Project used to confirm infections.

**Source:** https://fieldwork.news/tools/amnesty-mvt
**Official site:** https://github.com/mvt-project/mvt
**Category:** security

## Security rating

- **Rating:** strong
- **Rating note (required when citing):** MVT is the gold standard for publicly available mobile spyware forensics. Built and maintained by Amnesty International's Security Lab, used in the Pegasus Project, peer-reviewed by Citizen Lab and independent researchers, fully open source, runs locally with no telemetry. The 'strong' rating reflects the tool itself — its provenance, transparency, and technical quality. It does not mean MVT will catch everything: signature-based detection is inherently limited, and unknown spyware will not appear in any IOC list. The right mental model is a smoke detector, not a force field. If you are a high-risk journalist who thinks you may be targeted, MVT is the right tool — but run it through a trained forensic investigator at Access Now, Citizen Lab, or Amnesty rather than going it alone.
- **Reviewed by:** Editorial assessment by Mike Schneider — based on public security research and audits
- **Last reviewed:** 2026-04-07
- **Threat level:** high-risk

> AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment.

## Who it is for

Journalists, human rights defenders, lawyers, and activists in hostile environments who have reason to believe their phones may be targeted by state-grade spyware. Forensic investigators and digital security trainers supporting at-risk reporters. Anyone covering authoritarian regimes, organized crime, or surveillance abuses who needs to check whether their device has been compromised.

## Editorial take

MVT is the tool Amnesty International's Security Lab used to confirm Pegasus infections in the Pegasus Project — the 2021 investigation that found NSO Group spyware on the phones of journalists, activists, and heads of state across at least 50 countries. It is the most credible publicly available forensic tool for detecting mobile spyware, and there is nothing comparable in the commercial market. The job MVT does: take an encrypted iTunes backup of an iPhone, or a logical extraction of an Android device, and scan it against a library of indicators of compromise (IOCs) — file hashes, suspicious process names, known command-and-control domains, anomalous SMS and iMessage records — published by Amnesty and other research groups. If MVT finds a match, you have probable evidence of infection. If it finds nothing, you have meaningful but not absolute reassurance. The honest limits: MVT detects what we already know about. Zero-day exploits and unknown spyware families will not appear in any IOC list until researchers find them. Pegasus operators have repeatedly updated their malware to evade prior detection signatures. MVT is also a command-line tool that requires comfort with the terminal, Python, and an understanding of mobile forensics — this is not a one-click app for nervous users. Amnesty explicitly recommends working with a digital security professional rather than self-diagnosing. For high-risk reporters in countries that buy commercial spyware (Mexico, Saudi Arabia, India, Hungary, Morocco, UAE, and dozens more documented by Citizen Lab), MVT is essential infrastructure. For everyone else, the realistic answer is: you almost certainly do not need this, and if you think you might, you need a trained investigator running it for you, not a tutorial.

## Best for / not for

**Best for:** Confirming or ruling out known Pegasus, Predator, and other commercial mercenary spyware on a specific device. Forensic baselining when an at-risk journalist suspects targeting. Training and capacity-building for digital security helpdesks at press freedom organizations. Building IOC libraries from new spyware research. Documenting infections for legal and advocacy work.

**Not for:** Real-time protection — MVT is forensic, not preventive. It does not block or remove spyware. Detecting unknown or zero-day spyware that has no published IOCs. Self-diagnosis by users without a forensics background — interpreting results requires expertise, and false positives are common. Routine personal threat modeling for journalists who are not specifically targeted by state actors. Replacing a security helpdesk like Access Now's Digital Security Helpline, which can run MVT for you.

## Pricing

- **Pricing:** Free. Open source, MIT-licensed-with-restrictions (custom Mozilla Public License variant prohibiting non-consensual use).
- **Free option:** yes

## Security & privacy details

- **Encryption in transit:** yes
- **Encryption at rest:** yes
- **Data jurisdiction:** Software is open source, hosted on GitHub (Microsoft, US). The toolkit runs locally on your machine — there is no server-side component, no telemetry, no data sent to Amnesty or anyone else. Your forensic data stays on the device you run it on. Indicators of compromise (STIX2 files) are downloaded from public Amnesty and partner repositories.

**Privacy policy TL;DR:** No privacy policy needed — MVT does not collect or transmit data. It is a local command-line tool. The only network calls are to fetch updated IOC files from public GitHub repositories. Your phone backups, scan outputs, and findings never leave your computer unless you choose to share them.

**Practical mitigations (operational guidance, not optional):**

Run MVT on an air-gapped or trusted forensics workstation, never on the suspect device itself. Always use encrypted iOS backups (set a backup password in Finder/iTunes) — MVT requires this to extract iMessage and other encrypted records. For Android, follow Amnesty's documentation carefully — the Android extraction process is more limited and more invasive. Update IOC files from the official mvt-project and Amnesty repositories before each scan. Do not interpret results yourself if your safety depends on it — contact Access Now Digital Security Helpline (free, 24/7, multilingual), Citizen Lab, or Amnesty's Security Lab for analysis. Document everything: scan outputs, timestamps, device serial numbers, and chain of custody if findings might be used legally. Assume that running MVT does not make your phone secure going forward — if you find an infection, treat the device as permanently compromised and replace it.

## Ownership & business

- **Owner:** Amnesty International — Security Lab (mvt-project on GitHub, with contributions from independent researchers)
- **Funding model:** Funded by Amnesty International as part of its Security Lab program. Amnesty is a nonprofit funded by individual donations, foundation grants, and member contributions. Receives no government funding for its core human rights work.
- **Business model:** Not a business. MVT is a public-interest research tool released free under an open source license. Amnesty's Security Lab also publishes IOC reports, technical writeups, and helps coordinate international forensic investigations. Paid commercial use, especially for surveillance or against the consent of device owners, is explicitly prohibited by the license.
- **Open source:** yes
- **Built for journalism:** yes

**Known issues:** Detection is signature-based — only finds spyware with published indicators. Updated NSO and Intellexa malware variants have evaded prior MVT signatures until new IOCs are published. Android support is significantly weaker than iOS support because Android's forensic surface is fragmented across manufacturers and harder to extract from non-rooted devices. Command-line interface is a real barrier for non-technical users. Encrypted iOS backups are mandatory for full results, which trips up first-time users. False positives happen and require expert interpretation. Citizen Lab and Amnesty have warned repeatedly that absence of evidence is not evidence of absence — a clean MVT scan does not mean a phone is uninfected, only that no known signatures matched.

---
Canonical HTML: https://fieldwork.news/tools/amnesty-mvt
Full dataset: https://fieldwork.news/llms-full.txt
Methodology: https://fieldwork.news/methodology