How to install and use MVT to find out if your Android has been hacked

Android, like any popular operating system, coexists with threats ranging from malware common to high-level spyware. You don't have to be a target, just open the wrong attachment or click on a malicious link and you're in trouble. The truly disturbing thing comes with professional spyware: silent programs that collect data without permission and have sometimes even affected high-profile figures. When faced with that reasonable doubt—'What if I'm being spied on?'— There is a free, public tool that brings us closer to a real forensic analysis without being experts: MVT.

What is MVT and why it matters

MVT It doesn't clean or disinfect your phone: its job is to check for technical signs of sophisticated spyware. We're talking about clues such as domains, URLs, process patterns, or system events documented in public investigations. This IOC database is updated and available for download to make the analysis as comprehensive as possible.

Unlike an antivirus, MVT is focused on specific, high-profile threats.: It won't detect a common banking Trojan or warn you about heavy adware. Its value is another: it contributes accessible forensic methodology to review SMS, history, system logs and other key artifacts where breadcrumbs of espionage campaigns are often left behind.

What MVT can and cannot detect

MVT is ideal for checking for indicators of advanced spyware like Pegasus, but not for hunting everyday "battlefield" malware. Don't expect it to identify generic viruses, phishing, banking trojans or apps shop cheats; For this, digital hygiene, reviews with security solutions, and common sense remain key.

A 'clean' result in MVT means that no known IoCs were found on your device., not that the phone is impeccable in the face of any threatConversely, a warning requires interpretation: it can range from a suspicious link received via SMS to a process that warrants a second look, but it doesn't necessarily constitute a confirmation of compromise.

How to interpret MVT results

MVT's output is technical, but its color system helps: You will see events in green when everything is going well, alerts in yellow when something abnormal is detected, and red for process errors (for example, if it could not read a backup file).

• Green: normal progress of checks and successful operations.
• Yellow (Warning): Possible indicator to review. It is not confirmation of infection and should be analyzed in context.
• Red: technical failure of the analysis process, usually not linked to infection.

In a real-world run, MVT loaded over 10.700 IoCs, reviewed hundreds of processes, and over a thousand system properties., identified the model and operator of the terminal, and returned 'produced no detections' after finding no relevant matches. It also reported errors with Chrome data or WhatsApp in depth for not having root, which is a technical warning and not a symptom of infection.

Previous requirements

For Android you will need the phone, a cable USB data and a computer running Linux (recommended) or Windows 10/11 with WSL. The process is performed from the terminal, requires patience and accepting debugging or backup requests on the phone itself.

• Android phone with USB data cable.
• PC running Linux (Ubuntu) or Windows with WSL. On Linux it's more straightforward; on Windows you have to bridge the USB to WSL.

Installation and preparation on Linux (Ubuntu)

The easiest route is Linux, where everything is solved without intermediate layers. Start by updating your system and preparing Python with a virtual environment to isolate dependencies.

sudo apt update && sudo apt upgrade -y

sudo apt install python3 python3-pip python3-venv -y

mkdir mvt-project && cd mvt-project

python3 -m venv mvt-env

source mvt-env/bin/activate

pip install mvt

mvt-android download-iocs

This last command downloads the indicators of compromise that MVT will use during the analysis. Keeping them updated is key to not losing coverage from recent campaigns.

Prepare your Android phone

Enable developer options and USB debugging so your computer can communicate with your phone. The standard route is simple and reversible.

• Go to 'Settings' > 'About phone' > 'Software information' and tap 'Build number' 7 times.
• Go back to 'Settings' and under 'Developer options' enable 'USB debugging'.

When you connect your phone to your PC, authorize the computer's fingerprint in the on-screen prompt. and check 'Always allow' to not repeat the confirmation.

Direct analysis via ADB on Linux

With the environment ready, install ADB, connect your phone, and verify that the device recognizes it. From there, run MVT with organized output.

sudo apt install android-tools-adb -y

adb devices

mvt-android check-adb -o ./analysis_results/

The process may ask you to accept a backup request on the phone to analyze SMS or other artifacts.. Do not disconnect the cable and keep the screen active during the removal.

Windows with WSL: USB bridging and running

On Windows, it is recommended to use WSL (Ubuntu) and the usbipd-win project to 'pass' the USB port to the Linux environment. It's a little more technical, but doable with these steps.

• In the Ubuntu terminal on WSL: sudo apt install android-tools-adb -y
• En PowerShell with administrator permissions: winget install –interactive –exact dorssel.usbipd-win

Install additional tools on Ubuntu and configure the alternative for USBIP (needed to work with the USB bus from WSL).

sudo apt install linux-tools-generic hwdata -y

sudo update-alternatives –install /usr/local/bin/usbip usbip /usr/lib/linux-tools/*-generic/usbip 20

Link the device from PowerShell and assign it to WSL by replacing the bus ID with yours (first list, then 'bind' and finally 'attach').

usbipd list

usbipd bind –busid –force

usbipd attach –wsl –busid

Back in Ubuntu, verify the device and launch MVT with the same syntax as in native Linux.

adb devices

mvt-android check-adb -o ./analysis_results/

If everything is ok, you will see the 'device' status in ADB and MVT will start processing artifacts from the phone., generating JSON files with findings and logs in the output folder.

Method with Android backup

There is a way to analyze a backup, useful when a direct check via ADB is not possible., although note that the 'adb backup' command is deprecated.

generates the backup and then pass it to MVT for an offline review of what I can extract.

~/Downloads/platform-tools/adb backup -all

Confirm the operation on your mobile, save the 'backup.ab' file and run it with MVT for scanning.

mvt-android check-backup -o ./analysis_results/

Remember: due to the deprecation of 'adb backup', you won't always get the desired depth. Whenever possible, prioritize direct ADB scanning.

iOS: Notes and Docker Options (Context)

Although we focus on Android here, MVT also supports iOS and there are guides to do it with Docker on Linux when a specific version of libimobiledevice is required. This is useful if you want to check a iPhone within the same forensic flow.

A typical itinerary includes preparing directories, downloading the IoCs, building the Docker image, backing up and decrypting the copy, and running the check. Short outline:

mkdir Pegasus && cd Pegasus

mkdir ioc backup decrypted checked

wget https://raw.githubusercontent.com/AmnestyTech/investigations/master/2021-07-18_nso/pegasus.stix2 -O ioc/pegasus.stix2

wget https://raw.githubusercontent.com/mvt-project/mvt/main/Dockerfile -O Dockerfile

docker build -t mvt .

systemctl stop usbmuxd

docker run -it –privileged –rm -v /dev/bus/usb:/dev/bus/usb –net=host -v $PWD/ioc:/home/cases/ioc -v $PWD/decrypted:/home/cases/decrypted -v $PWD/checked:/home/cases/checked -v $PWD/backup:/home/cases/backup mvt

usbmuxd

ideviceinfo

idevicebackup2 backup encryption on -i

idevicebackup2 backup –full backup/

mvt-ios decrypt-backup -p -d decrypted backup/

mvt-ios check-backup -o checked –iocs ioc/pegasus.stix2 decrypted

Analysis on iOS also generates JSON with detections and time traces. based on public IoCs associated with Pegasus.

Pegasus: context and cases that explain the usefulness of MVT

Pegasus is a commercial spyware from the NSO Group, sold to governments and agencies for legitimate operations. Research has shown that it has also been used against journalists, activists, and public figures. It is said to have high-impact capabilities: access to messages, location, microphone, camera, and even "zero-click" infections by exploiting zero-day vulnerabilities.

Notorious cases have put the spotlight on this type of tools.: from the analysis of Jeff Bezos's phone after receiving a video via instant messaging to investigations that identified thousands of potential targets and episodes of spying on political leaders in several countries. The UN itself recommended against using certain apps in sensitive environments, precisely because of their value to attackers.

The estimated cost of this type of services and its scaling by number of objectives also transpired., which reinforces the idea that spyware attacks in this league are usually targeted rather than mass-market. For ordinary citizens, the risk is much lower; for exposed profiles, MVT is a prudent check.

Forensic methodologies when MVT is not enough

If you seriously suspect compromise and MVT yields no evidence, the next step is classic forensics: acquisition and in-depth analysis. Here experts and laboratories come in with hardware and specific software.

Forensic acquisition can be physical (ideal) or logical (limited)Solutions like Cellebrite UFED extract a full image when feasible; otherwise, advanced techniques like JTAG or chip-off can recover data directly from memory when the device is frozen or damaged.

JTAG

JTAG allows communication with the device's test ports to dump raw memory.. Requires identifying the TAPs on the board, wiring or templates, a compatible emulator, and setting processor/memory parameters before reading the flash.

• TAP Identification: by PCB documentation or inspection.
• Connection: fine soldering or unsoldered template.
• Tooling: JTAG emulator with model support.
• Reading: flash memory dump and subsequent analysis.

Chip-off

Chip-off consists of unsoldering the memory chip and reading it into a socket. It's drastic but effective when the device won't boot. Its feasibility depends on the model and hardware or system encryption.

• Disassembly and location of the chip.
• Controlled desoldering and cleaning of the encapsulation.
• Reading on a dedicated reader and image analysis.

Analysis of the evidence

With the image in hand, the orthodox thing to do is to calculate fingerprints (SHA-256, SHA-1/MD5 used in combinations) to preserve the integrity and work with verified copies. Tools such as Autopsy, X-Ways, or OsForensics help scan and correlate artifacts.

On Android, priority is given to locating APKs, deleted files, and type mismatches. using modules such as 'PhotoRec Carver', 'Hash Lookup', 'File Type Identification' and 'Extension Mismatch Detector', as well as checking that there are no executables 'camouflaged' under harmless extensions.

Suspicious APKs are exported and compared with known reputation and signatures on engines like VirusTotalIt's worth remembering that a single engine detecting something isn't enough: there are false positives and PUPs that aren't spyware.

Databases (mainly SQLite) hold much of the truth.: messages, history, network usage logs. Reviewing journal files, tables, and time-based relationships helps reconstruct activity. Indexing and searching by keywords, emails, phone numbers, or IP addresses speeds up correlations between sources.

If spyware or exfiltration is confirmed, the expert report must document acquisition, hashes, methodology and destination of the data. (domains, IPs, accounts), including screenshots and chains of custody if it is used as evidence.

Practical advice and limits of analysis

Avoid rooting the device before analysis unless recommended by the forensic procedure.. Root can alter artifacts or open additional doors that distort evidence, and MVT doesn't require it.

Keep your system and apps up to dateMany high-profile infections exploit newly discovered flaws; updating reduces the attack surface and closes known vectors.

Be wary of unexpected links and attachments, even if they appear to come from real contacts.Current campaigns abuse social engineering, string together bugs, and minimize visible signals for the user.

Remember: MVT tells you if there are traces of known IoCs, it is not a universal detector.If you're a journalist, activist, or high-profile figure, add layers: secure communication, device partitioning, and, if necessary, professional audits.

For those who prefer 'zero surface', there are those who opt for basic phones without Internet in sensitive contextsIt's an extreme and impractical solution for everyday use, but it illustrates the level of risk in certain scenarios.

With MVT you have a reasonable 'X-ray' of your mobile phone against documented spyware, with clear steps on Linux and also on Windows using WSL. If you take There to run it and read its warnings calmly, You can gain a lot of peace of mind or detect warning signs in time that justify a more in-depth expert analysis.

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.