Skip to content

sunsetroute1/pegasus_detector

BranchesTags

Repository files navigation

Pegasus Detector

ADB-Based Android Forensic Analysis Tool for Windows

This repository contains two separate applications that share a codebase for convenience:

Application What it is How you run it
Pegasus Detector Desktop forensic scanner (Python / PyQt). Connects over ADB; reads packages, logs, bugreports, backups, etc. run.bat / ./run.sh (this document)
GraphBurn Standalone Android app (Kotlin / Jetpack Compose). On-device VPN sinkhole, sensors, risk scoring, optional ADB bridge for automation from a PC. Build & install from android/network-guard/

GraphBurn is not a plugin or screen inside Pegasus Detector. You install it on the phone like any other APK. The optional TCP bridge lets a separate desktop client talk to GraphBurn when adb forward is set up (see the GraphBurn README).

A GUI-driven forensic tool for detecting Pegasus spyware indicators on Android devices. Built for journalists, activists, human rights defenders, and security researchers.

Option A — Run directly (no install)

Windows

run.bat

Linux / macOS

chmod +x run.sh
./run.sh

Installs Python dependencies on first run, then launches immediately. Requires Python 3.10+ from https://python.org

Option B — Build a Windows installer (.exe setup)

Prerequisites

Tool Download
Python 3.10+ https://python.org
NSIS 3.x https://nsis.sourceforge.io/Download
ADB platform-tools https://developer.android.com/studio/releases/platform-tools

Steps

1. Install Python dependencies + PyInstaller:

pip install PyQt6 requests PyYAML pyinstaller

2. Generate installer artwork (optional but recommended):

pip install Pillow
python assets/generate_assets.py

3. Download ADB platform-tools and extract into a platform-tools\ folder next to main.py. The installer will bundle ADB alongside the app.

4. Build:

build_installer.bat

This will:

  • Bundle the app into dist\PegasusDetector.exe via PyInstaller
  • Bundle ADB into dist\platform-tools\
  • Compile PegasusDetector_Setup_1.0.0.exe via NSIS

What the installer does

  • Installs PegasusDetector.exe to Program Files\PegasusDetector\
  • Installs ADB and adds it to system PATH
  • Creates Desktop and Start Menu shortcuts
  • Registers in Add/Remove Programs
  • Clean uninstaller included (optionally preserves scan reports)

GraphBurn (separate Android app)

  • Location: android/network-guard/ (Gradle module path; the product name on-device is GraphBurn).
  • Purpose: Live on-device monitoring (VPN filtering, JA3 / DNS signals, sensor AppOps, audit, kill-switch, forensic ZIP export).
  • Relationship to Pegasus Detector: Independent. Pegasus Detector does not bundle or launch GraphBurn. Integration is optional via the documented ADB TCP bridge if you build a desktop client against it.

Quick build (from repo root):

cd android/network-guard
./gradlew assembleDebug   # Windows: gradlew.bat assembleDebug
adb install -r app/build/outputs/apk/debug/app-debug.apk

Project Structure

pegasus_detector/
├── main.py                    # Pegasus Detector — entry point
├── run.bat                    # Quick launch (no install needed)
├── build_installer.bat        # Full build script
├── requirements.txt
├── assets/
│   ├── generate_assets.py     # Auto-generate installer artwork
│   └── README.md
├── installer/
│   ├── pegasus_detector.nsi   # NSIS installer script
│   ├── pegasus_detector.spec  # PyInstaller spec
│   └── version_info.txt       # Windows exe version metadata
├── core/                      # Pegasus Detector (desktop) logic
│   ├── adb_manager.py
│   ├── artifact_scan.py
│   ├── backup_parser.py
│   ├── feed_parsers.py
│   ├── graphite_intel.py
│   ├── mvt_indicators_index.py
│   ├── ioc_engine.py
│   ├── scan_engine.py
│   ├── text_ioc_matcher.py
│   └── report_generator.py
├── ui/                        # Pegasus Detector (desktop) UI
│   ├── main_window.py
│   ├── style.qss
│   ├── pages/
│   └── widgets/
├── android/network-guard/     # GraphBurn — separate Android app (see README inside)
├── data/                      # IoC cache (auto-created)
└── reports/                   # Exported scan reports (auto-created)

Scan Modules

Module What it checks
Installed Packages All APKs vs known malicious package names
Running Processes Active processes vs Pegasus process signatures
Network Connections Active TCP connections & DNS cache vs known C2 infrastructure
Graphite / Paragon Paragon Graphite (non-Pegasus): BIGPRETZEL log markers, WhatsApp hygiene note, published C2 IoCs; explains blocking limits
Filesystem Artifacts Common Pegasus file drop paths & hidden files
Logcat Analysis System logs for known Pegasus patterns
System Anomalies SELinux status, root indicators, device admin
APK Hash Analysis SHA-256 of user-installed APKs vs hash IoCs
Bugreport Analysis ADB bugreport zip — text scan for IoC hits (optional, slow)
Backup .ab scan Extract unencrypted backup tarball — deep file scan for IoCs

IoC Sources

  • Automatic STIX feeds — On “Update from Network”, the app downloads mvt-indicators indicators.yaml and pulls every matching .stix2 URL (Pegasus/Android-focused by default). If the index is unreachable or PyYAML is missing, bundled fallback Amnesty STIX URLs are used instead.
  • Supplemental CSV — Citizen Lab Pegasus indicators (not in the YAML index).
  • Amnesty International Tech, Citizen Lab, Lookout Security Intelligence — attribution on individual IoCs follows each feed’s sources field from the index.

Set environment variable PEGASUS_DETECTOR_ALL_MVT_IOCS=1 (or true/yes) to load all STIX campaigns listed in indicators.yaml, not only Pegasus/Android-related entries.

Paragon Graphite (separate from Pegasus)

Naming: GraphBurn in this repo is our Android monitoring app. Graphite below is Paragon’s spyware product — unrelated names.

Graphite is mercenary spyware from Paragon Solutions, not NSO Pegasus. Public research (Citizen Lab) describes zero-click delivery: on iOS, malicious media via iCloud Link in iMessage (CVE-2025-43200, fixed iOS 18.3.1+); on Android, WhatsApp campaigns (e.g. group + PDF, since mitigated by WhatsApp). Forensic indicator BIGPRETZEL in Android logs is associated with Graphite. This app cannot block zero-click exploits; it can only help surface known network and log IoCs on Android via ADB. Operators use per-customer infrastructure, so many infections will not match public IPs.

Important Limitations

  • A clean scan does NOT guarantee no infection
  • Pegasus evolves continuously — new variants may leave no known artifacts
  • Full filesystem scanning may require the device to be rooted
  • When in doubt, consult a professional digital forensics expert

Roadmap

  • Live network IoC feed updates (Amnesty STIX2 parsing)
  • APK hash computation & comparison
  • ADB backup extraction & deep analysis
  • Bugreport parser
  • Timeline view of artifacts
  • Automated IoC database versioning
  • Linux support (./run.sh — install Android platform-tools separately)

License

MIT — Open source for the benefit of civil society and press freedom.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages