How to install and use MVT on Android to detect advanced spyware

  • MVT compares Android artifacts with known spyware IoCs like Pegasus.
  • The root-free scan is valid, although some modules fail to run; the warnings need to be interpreted.
  • Step-by-step guide for Linux and Windows/WSL: installation, ADB, connection, and check-adb.
  • A result of no findings indicates absence of known traces, not total immunity.
Isaac

10 minutes

MVT tool for analyzing spyware on Android

Are you worried that your Android phone could be under surveillance without you knowing? In recent years, cases of spying using advanced software like Pegasus have come to light, and many users are wondering if there's any reliable way to verify it. The answer lies in MVT (Mobile Verification Toolkit), an open-source forensic tool developed by Amnesty International's Security Lab that allows users to search for technical traces of sophisticated spyware.

This guide brings together, in a single resource, everything you need to understand, install, and use MVT on Android.: from what it actually scans and what it doesn't, to how to interpret its results and run a step-by-step scan on both Linux and Windows using WSL. We also include key context about Pegasus., why conventional antivirus software doesn't work against these types of threats, and what realistic expectations you should have when using this tool.

What is MVT and why it is not a conventional antivirus?

Mobile Verification Toolkit (MVT) It is a set of forensic utilities designed to detect signs of compromise on Android and iOS.. It was born in July 2021 within the framework of the so-called Pegasus Project, and since then its methodology, architecture and The list of threat indicators (IoCs) has been updated to help researchers and civil society identify traces of highly sophisticated spyware.

The big difference with a conventional antivirus MVT does not scan for “common malware” such as banking Trojans, adware, or typical malicious applications. Its focus is much more specific: comparing system artifacts against documented IoCs. (e.g., known domains, routes, processes, or patterns) associated with state-level spyware, like Pegasus. Therefore, A clean scan in MVT does not guarantee that your phone is free of any threats., but those particular fingerprints that the tool knows have not been detected.

MVT is developed in Python and is free software.. Includes two main commands: mvt-android for Android and mvt-ios for iOS. Among its notable capabilities, can extract diagnostic information via ADB, download installed APKs for inspection, generate timelines with forensic events, compare artifacts with IoCs in STIX2 format, and separate in JSON the traces that it considers malicious for your review.

Illustration of a mobile phone with a warning icon
Related article:
Ultimate Guide to Detecting, Preventing, and Removing Malware on Android: Protect Your Phone and Personal Data

Pegasus in context: range, vectors, and why it's so hard to detect

Pegasus is a spyware developed by NSO Group, an Israeli company that claims to sell its tools to governments and agencies "to fight crime and terrorism." In practice, various investigations have pointed to its use against journalists, activists and politicians., with documented cases in dozens of countries.

This spyware is capable of activating microphone and camera, reading messages and emails, and tracking location., all of this in a covert manner. Historically it has exploded zero-day vulnerabilities, which explains that traditional antiviruses do not detect itIn 2019, a case of exploitation via WhatsApp where it was not even necessary to answer the call for the intrusion, illustrating the level of sophistication.

The reported deployment costs are high: Installation fees of hundreds of thousands of dollars have been quoted and prices for "packages" of objectives (for example, 10 iPhones or 10 Androids) with annual maintenance. High-profile victims have also been revealed (such as activist Ahmed Mansoor or the case that affected Jeff Bezos's entourage), and research development in the EU and other countries as a result of different episodes.

High-profile infections have been recognized in Spain, such as those affecting the President of the Government and the Minister of Defense, confirmed by analysis by the National Cryptologic Center. This overview helps to understand why MVT exists: to provide a documented and transparent way of check technical clues of these attacks, even if it is not "definitive proof" of authorship.

What MVT can (and can't) tell you

MVT can tell you if it finds matches to specific IoCs of advanced spyware in the artifacts it manages to extract from your Android (logs, SMS, system properties, installed packages, etc.). If there are matches, it will point you to the findings for review. in detail and assess its meaning with forensic criteria.

What MVT doesn't do is act as a generic malware scanner.: It is not intended to detect common viruses, financial Trojans, or phishing apps. If your result is "clean", it means that the fingerprints you know have not been found., not that your device is free from any threats. It is a focused test, and is therefore useful as a complement to good security practices and other reviews.

Another practical limitation: certain deeper analyses require root., and the developers themselves they do not recommend it for regular users due to integrity and exposure risks. MVT works without root, although in those cases some modules (for example, access to very specific histories) may not be executed.

Top free antivirus for Android in 2025
Related article:
How to choose a good antivirus for Android: essential criteria and keys

How to interpret the on-screen verdict

During the scan you will see status messages and warnings.It's helpful to understand the usual "color code" so you don't get unnecessarily alarmed or miss important signals.

  • Green: normal tool activity; indicates progress and tasks that are executed correctly.
  • Yellow (Warning): possible anomalies or suspicious elements that require review. It is not confirmation of infection; it may be SMS with strange links o unusual processes which later turn out to be benign. They must be interpreted.
  • Red: usually reflects technical problems during extraction (for example, a corrupt file in the backup). It does not necessarily equal infection and is often resolved by repeating the step or adjusting permissions.

In recent runs, MVT has loaded tens of thousands of IoCs. before comparing. If the device not rooted, you'll see benign errors in modules that require deeper permissions. The tool may ask you to accept a backup on screen. to be able to analyze SMS and other permitted data.

In a documented case study, MVT analyzed 967 running processes and 1.553 system properties, correctly identifying the model (for example, a Samsung SM-S931B with a specific network), and threw the message “produced no detections!”. This type of verdict indicates that, according to the downloaded indicator database, There are no traces of the spyware being sought in that execution.

Installing MVT: Available Options

MVT can be installed from PyPI with pip o from the source code on GitHubFor most users, the PyPI route will be more direct within a Python virtual environment. In iOS there is the mvt-ios command and on Android mvt-android; here we'll focus on Android, although you'll see some quick references to iOS.

Example of installation via PyPI in an environment already prepared with Python 3 and pip: pip3 install mvt. If you prefer to clone the repository, you can use git clone and then install the package locally with pip3 install .

Step-by-step guide for Android

Below you have a complete flow to prepare the environment, configure the mobile and launch the analysis both on Linux (more direct) and on Windows via WSL (requires an additional USB bridge). Follow the steps calmly and, if you have any doubts, check the official project documentation.

Previous requirements

  • An Android mobile or with a USB-C data cable in good state.
  • A computer running Linux (recommended) or Windows 10/11. In Windows it will be used WSL with Ubuntu to run MVT.

Prepare the environment in Linux (Ubuntu or another distro)

1) Update the system to have recent packages:

sudo apt update && sudo apt upgrade -y

2) Install Python 3, pip and venv (if you don't have them yet):

sudo apt install python3 python3-pip python3-venv -y

3) Create and activate a virtual environment to isolate dependencies:

mkdir mvt-project && cd mvt-project
python3 -m venv mvt-env
source mvt-env/bin/activate

4) Install MVT and download the IoCs that the analysis will use:

pip install mvt
mvt-android download-iocs

Prepare your Android phone

Enable developer options and USB debugging so that the computer can communicate with the phone using ADB:

  • Settings > About phone > Software information and press seven times in “Build Number”.
  • Go back, go in Developer Options tab and activate USB debugging.

Connection and analysis in Linux

Install ADB If you don't have it yet, connect your phone and authorize debugging:

sudo apt install android-tools-adb -y
adb devices

If the device appears as "device", it is already recognized. Keep your virtual environment active and launches the analysis indicating an output folder for the results:

mvt-android check-adb -o ./resultados_analisis/

During the process, MVT may prompt you on screen authorize a backup to analyze SMS or other data accessible without root. Accept on the phone when the warning appears.

Connecting and analyzing on Windows with WSL (Ubuntu)

On Windows there is an extra step: You need to create a USB bridge between Windows and the Linux environment (WSL) so that ADB from Ubuntu can “see” your phone.

1) On Ubuntu (WSL), install ADB:

sudo apt install android-tools-adb -y

2) In PowerShell (Administrator), install the USB/IP service for Windows:

winget install --interactive --exact dorssel.usbipd-win

3) On Ubuntu (WSL), add usbip dependencies and configure the alternative:

sudo apt install linux-tools-generic hwdata
sudo update-alternatives --install /usr/local/bin/usbip usbip /usr/lib/linux-tools/*-generic/usbip 20

4) In PowerShell, list and link the USB bus of your mobile (replace by the identifier that the first command shows you):

usbipd list
usbipd bind --busid "<ID>" --force
usbipd attach --wsl --busid "<ID>"

5) Return to Ubuntu (WSL), check that ADB detects the device and runs MVT:

adb devices
mvt-android check-adb -o ./resultados_analisis/

If everything is correct, the tool will start recording tasks now generate JSON files with the extracted artifacts and findings (if any).

Useful commands and additional options

Download installed APKs For manual review, it can help you inspect packages:

mvt-android download-apks --output /path/to/folder

On iOS, the flow is different. For example, to check a file system dump with mvt-ios the subcommand exists check-fs, that extracts artifacts to which the available IoCs and modules are then applied.

What you'll see in the results and how to review them

MVT leaves the results in the folder you specify with -o. There you will find JSON with artifacts and possible matches, And in his case, unified chronologies that make it easier to correlate events.

Start by reviewing the flagged notices as suspicious or anomalous. Check the associated IoCs (domains, routes, patterns) and compare them with public sources or Amnesty documentation to understand their relevance. Remember that a "warning" is not a verdict.: There may be false positives or legitimate items with misleading names.

When there are errors in red (for example, when trying to read a file), consider repeating the step, check permissions, re-authorize the copy or even restart ADB. Many times they are issues of access, not security.

If you get "no detections", you can rest easier regarding high-profile spyware included in the current indicator list. Always complement with safety habits: : daily updates, be careful with links and attachments, and Periodic revision if you belong to at-risk groups.