How to Audit Your Android Phone for Pegasus Spyware Indicators
A forensic-grade command line sequence to identify traces of mercenary spyware on Android devices without relying on automated antivirus software.
The surveillance landscape of 2026 has shifted significantly. While state-sponsored actors once dominated the use of mercenary spyware like Pegasus, the market has decentralized. We now see sophisticated tools, originally reserved for intelligence agencies, leaking into the hands of private investigative firms and local actors. These tools are often deployed not through complex zero-click exploits, but via "hooking" methods—trojanized applications masquerading as legitimate services or system updates.
Antivirus software is largely ineffective against these threats. Modern spyware operates with the same privileges as the operating system, effectively hiding its presence from standard scanning routines. To determine if your device is compromised, you must look for behavioral anomalies rather than known file signatures. The following audit moves beyond surface-level checks. It utilizes the Android Debug Bridge (ADB) to interrogate the system at a level where spyware cannot easily mask its resource consumption and network connections.
Before proceeding, understand the limitation of this process. While these steps can reveal the "footprints" of an active infection—excessive data usage, dormant background processes, or unauthorized accessibility services—a truly advanced zero-day exploit might leave no trace in the user space. This guide targets the tools used in local corporate and legal investigations, which often rely on persistence mechanisms that generate detectable system noise.
Preliminary Checks Without External Tools
Auditing begins with observation before you connect the device to a computer. Spyware must communicate with a command and control (C2) server to upload stolen data. This constant stream leaves a mark on your data plan and battery life.
Open your Settings and navigate to Network & Internet > Data Saver > Data Usage. Look at the "Mobile data usage" graph. You are looking for anomalies: data spikes occurring between 2:00 AM and 4:00 AM when the phone was idle, or consistent background usage by apps that should not require internet access, such as system tools or calculator apps.
Next, check your battery history. Go to Settings > Battery > Battery Usage. Tap the three-dot menu and select "Show full device usage." Spyware often prevents the CPU from entering deep sleep states. If you see "Android System" or "Mobile standby" consuming a significant percentage of your battery while the phone was supposed to be in your pocket, you have a primary indicator of compromise. These symptoms are often dismissed as battery degradation, but in the context of high-value targeting, they are rarely coincidental.
Establishing a Secure Bridge with ADB
To perform a deep inspection, you need a terminal interface. Download the Platform Tools from the official Android developer website onto your computer. Avoid third-party bundles; the official Google SDK is the only package with verified integrity.
- Extract the downloaded zip file to a known folder on your computer.
- On your Android phone, enable Developer Options by tapping "Build Number" in Settings > About Phone seven times.
- In Developer Options, enable USB Debugging.
- Connect your phone to your computer via a USB cable you trust. Public charging cables can be modified to inject data, so use your original manufacturer cable.
- Open a command prompt or terminal window on your computer in the Platform Tools folder.
- Type
adb devicesand press Enter.
Your phone screen will prompt you to "Allow USB debugging?" Ensure the box "Always allow from this computer" is unchecked. This forces authorization every time, preventing a compromised machine from accessing your phone later without your physical confirmation. Once you authorize, your device's serial number will appear in the terminal, confirming the connection is active.
Inspecting Background Services and Battery Cycles
Now that the bridge is established, we query the system for process statistics. Standard task managers only show user-facing apps, but ADB reveals background services. Enter the following command:
adb shell dumpsys procstats
This command outputs a massive amount of data regarding process runs over the last 3 to 24 hours. Scroll through the text (or pipe it to a text file if using a desktop). Look for entries with high "Run Duration" but no corresponding app package name you recognize. Spyware frequently disguises itself using system-sounding names like com.android.system.update or com.google.android.gms.update. Compare the package names against the list of installed apps.
If an app claims to be a system update but has a high CPU run time and active foreground time, it is suspect.
For a more specific battery check, use:
adb shell dumpsys batterystats
Look for specific parameters like data_packet_tx and data_packet_rx (transmitted and received packets). If a background process has sent gigabytes of data while the screen was off, you have identified a major exfiltration event. This is particularly relevant for users who worry about 4 Phishing Vectors Currently Targeting Brazilian Banks That Traditional Antivirus Miss, as the initial infection vector is often a malicious download that establishes this persistent connection.
Analyzing Network Connections for Suspicious Latency
Network behavior is the most reliable tell for active surveillance. Spyware attempts to minimize its footprint by sending data in small bursts, which can look like regular keep-alive packets. However, the destination IP addresses often give the game away.
Enter the following command to view active TCP connections:
adb shell netstat -tulpn
You will see a list of IP addresses and ports your phone is currently connected to. Pay close attention to "Foreign Address." Look for established connections (ESTABLISHED) on ports that are not standard web browsing ports (80, 443). Spyware often uses non-standard high-numbered ports (e.g., 4444, 5555, or random 5-digit ports) to bypass corporate firewalls.
If you see an IP address that looks suspicious, do not ping it from your home network. Instead, copy the address and research it through a reputable threat intelligence lookup tool offline.
Another command helps identify the specific app responsible for the connection:
adb shell cat /proc/net/tcp
Cross-reference the inode numbers from this output with the process IDs found using adb shell ps. This forensic technique links a network connection directly to a running application process. If you find a data connection linked to a generic package name like com.android.service that does not exist in your installed apps list, you are likely looking at a cloaking mechanism used by tools like Pegasus or its derivatives.
Verifying Application Integrity and Permissions
Local investigations often utilize "stalkerware" rather than military-grade exploits. These tools rely on Accessibility Services to read keystrokes and screens. An app asking for accessibility permissions is the single biggest red flag on Android.
Check the status of accessibility services via ADB:
adb shell settings list secure | grep accessibility_enabled
This will return a list of package IDs that currently have accessibility access. Verify every single package name. If you do not recognize a package, or if it claims to be a service for a game or a simple utility app, you must revoke its permission immediately.
You should also audit the installed packages list to find apps that are hidden from the launcher.
adb shell pm list packages -f -3
The -3 flag filters for third-party apps only. Review this list meticulously. Attackers often hide spyware with names that mimic legitimate keyboard apps or wallpaper apps. If you find a package you do not remember installing, note the path. It will often be located in /data/app/ but the name of the folder might be randomized.
When auditing network infrastructure, it is worth noting that sophisticated operations route their C2 traffic through cloud providers to blend in with normal traffic. AWS vs Azure for Brazilian Fintechs: Why Latency in São Paulo Makes the Difference highlights how regional cloud servers optimize for speed. If your netstat audit shows high-latency connections to regional cloud servers at irregular hours, it suggests the traffic is encrypted and heavy, consistent with log exfiltration rather than standard app syncing.
The Trade-off of Digital Hygiene
Completing this audit provides a snapshot of your device's health, but it is not a permanent cure. If you discover indicators of compromise—particularly an unknown process with root privileges or an active shell connection you did not initiate—the only reliable remediation is a factory reset. Before doing so, back up your contacts and photos only; do not back up app data, as you risk re-installing the infected payload.
Moving forward, the most effective defense is behavioral. Attackers using these tools in 2026 rely on the victim clicking a link or installing a "configuration profile." The prevalence of phishing vectors makes human error the primary vulnerability.
However, absolute security comes at the cost of convenience. Implementing the strict lockdown required to stop Pegasus—such as never clicking links, avoiding SMS entirely, and refusing to install non-store apps—renders a smartphone barely functional for the average professional. You must decide where your threshold lies. For most, the risk of state-level surveillance is low, but for those involved in corporate litigation, political opposition, or investigative journalism, the tedious process outlined here is a necessary daily ritual. We have moved past the era of simply trusting our devices; we must now interrogate them constantly.
