Article didn't reveal full contents of spyware files so only way to check for presence of these files was to check/compare filenames. But it's unlikely that now after such news coverage they would use same filenames. So instead pgcheck searches for one main Pegasus file which can find without knowing it's name as it's copy of signed binary in iOS (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc). Seems 'jsc' has been removed from 9.3.5.
update v2.8-7
- pgcheck is now comparing files to 'jsc' binary which Pegasus copies into
/usr/libexec/
directory. This copy is used to start Pegasus daemons when user restarts device - removed deleting of files as modified spyware could use different names
- log will be written into
/var/mobile/Documents/pgcheck.log
after triggering notification + airplane mode
update v2.7-1 - , then trigger alert + airplane modepgcheck
will now also remove Pegasus files
check if device contains Pegasus Spyware files reported in https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
add Cydia repository http://load.sh/cydia/ search for pgcheck
clone this repository and use pgcheck
as root
git clone https://github.com/z448/pgcheck
cd pgcheck/usr/bin
pgcheck i
# respring device
pgcheck
To check if pgcheck
is running
#switch to root
su root
ps -ef | grep pgcheck
Perl process 'pgcheck' will run in background, if any of reported files apears, it'll delete them, trigger activator notification and turn on airplane mode.
After rebooting iDevice, LaunchDaemon (/Library/LaunchDaemons/sh.load.pgcheck.plist) will start pgcheck automatically.