mvt-project/mvt

★ 12,397PythonAudience · researcherComplexity · 3/5LicenseSetup · moderate

Mindmap

mindmap
  root((MVT))
    What it does
      Spyware detection
      Forensic analysis
      Indicator matching
    Commands
      mvt-ios
      mvt-android
    How it works
      Scan device backup
      Compare indicators
      Generate report
    Audience
      Security researchers
      Investigators

mindmap root((MVT)) What it does Spyware detection Forensic analysis Indicator matching Commands mvt-ios mvt-android How it works Scan device backup Compare indicators Generate report Audience Security researchers Investigators

Click or tap to explore — scroll the page freely

Things people build with this

USE CASE 1

Scan an iOS device backup for known Pegasus spyware indicators using the mvt-ios command

USE CASE 2

Analyze an Android phone's extracted data by comparing it against Amnesty International's public indicator list

USE CASE 3

Generate a structured forensic report of suspicious files, domain names, and processes on a potentially compromised device

Tech stack

Python

Getting it running

Difficulty · moderate Time to first run · 30min

Requires a device backup or extracted data file, README explicitly warns this tool is intended for forensic experts, not regular users.

Custom license restricting use to consensual forensic analysis, you cannot use MVT to scan a device without the owner's explicit permission.

In plain English

MVT (Mobile Verification Toolkit) is a Python command-line tool for forensic analysis of Android and iOS devices. It was built by Amnesty International's Security Lab in 2021 as part of the Pegasus Project, an investigation into spyware sold by NSO Group that was used to target journalists, activists, and civil society members. The tool automates gathering forensic evidence that can indicate whether a phone has been compromised by spyware. The toolkit works by scanning a device's backup files or extracted data for known indicators of compromise, which are lists of suspicious file names, domain names, process names, and other markers associated with known spyware campaigns. Amnesty International maintains a public set of these indicators, and MVT supports loading them from a file to compare against what it finds on the scanned device. There are two main commands: mvt-ios for Apple devices and mvt-android for Android. The tool outputs a structured report of what was found, flagging anything that matches an indicator. Installation is via pip or the uv package manager, and it requires some dependencies that are listed in the documentation. The README is explicit that this is a tool for technologists and investigators who understand digital forensics, not something designed for regular users to run on their own phones. It also notes that a clean result from MVT does not guarantee a device is safe, since public indicators do not cover all known spyware variants or the most recent attack methods. Comprehensive forensic support for high-risk individuals is available through Amnesty International and partners like Access Now. The project uses a custom license rather than a standard open-source license, specifically to restrict use to consensual analysis and prevent it from being used to violate someone else's privacy without consent.

Copy-paste prompts

Prompt 1

Install MVT via pip and run mvt-ios on an iTunes backup to check for Pegasus spyware indicators, show me the exact commands

Prompt 2

How do I download Amnesty International's indicator file and load it into MVT before scanning an Android device?

Prompt 3

Run mvt-android on an extracted Android device backup and explain what each flag in the output report means

Prompt 4

What does a clean MVT scan result actually mean, does it guarantee the phone has not been compromised?

Prompt 5

Set up MVT using the uv package manager on a fresh machine and scan an iOS device backup from scratch

Open on GitHub → Explain another repo

← mvt-project on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.