Post-confiscation forensic scanner for Android devices
Your phone was taken by border agents, security services, or law enforcement and returned to you. What did they install? Perseus Shield tells you in minutes.
Perseus Shield scans every app on your Android phone, checks it against Google Play Store, known spyware databases, and VirusTotal, then gives you a clear verdict: SAFE, SUSPICIOUS, DANGEROUS, or SPYWARE.
- Scans all apps installed since a specific date (e.g., the day your phone was confiscated)
- Identifies apps that were sideloaded (not from any app store)
- Cross-references every app against Google Play Store to verify legitimacy
- Checks for known spyware signatures : Pegasus (NSO Group), Predator (Intellexa), Monokle (FSB), Hermit (RCS Lab), NoviSpy, FinFisher, Candiru, QuaDream, Paragon Graphite, and 15+ stalkerware families
- Computes SHA-256 hashes and generates VirusTotal lookup links
- Performs a full permission audit with danger classification per permission
- Detects if VK Store (RuStore) was used to silently install additional apps
- Recognizes 70+ system package prefixes to eliminate false positives
- Produces color-coded terminal output and 4 export files (report, verdicts, permissions, CSV)
- Journalists crossing borders of authoritarian states
- Business travelers whose phones were inspected at border crossings
- Activists and NGO workers in countries with state surveillance
- Anyone whose phone was in custody of security services (FSB, police, border agents)
- Security researchers analyzing post-confiscation device integrity
- A Windows 10 or 11 computer (laptop or desktop)
- A USB cable that connects your Android phone to the computer
- Your Android phone (the one that was confiscated/inspected)
- About 10-20 minutes of time
That's it. No special software knowledge required. Follow the steps below exactly.
ADB is a free tool from Google that lets your computer talk to your Android phone.
- Open your web browser on your computer
- Go to: https://developer.android.com/tools/releases/platform-tools
- Click "Download SDK Platform-Tools for Windows"
- Check the box to accept the terms and click "Download"
- A file called
platform-tools-latest-windows.zipwill download - Find the downloaded file (usually in your
Downloadsfolder) - Right-click the zip file and select "Extract All..."
- Click "Extract"
- You now have a folder called
platform-tools-latest-windowswith a subfolderplatform-toolsinside it
Remember this folder location. For example:
C:\Users\YourName\Downloads\platform-tools-latest-windows\platform-tools\
Inside you should see files including adb.exe, fastboot.exe, and others.
- Download the file
phone-forensics.ps1from this GitHub repository - Move it into the
platform-toolsfolder from Step 1
So the file should be at:
C:\Users\YourName\Downloads\platform-tools-latest-windows\platform-tools\phone-forensics.ps1
It must be in the same folder as adb.exe.
Your phone has a hidden "Developer Mode" that needs to be turned on. This is safe and does not void your warranty.
- Open Settings
- Scroll down and tap "About phone"
- Tap "Software information"
- Find "Build number"
- Tap "Build number" 7 times quickly
- You will see a message: "You are now a developer!"
- If asked, enter your phone's PIN/password
- Open Settings
- Tap "About phone"
- Find "MIUI version" (or "HyperOS version")
- Tap it 7 times quickly
- You will see: "You are now a developer!"
- Open Settings
- Tap "About phone"
- Find "Build number"
- Tap it 7 times quickly
- Open Settings
- Tap "About device"
- Find "Build number"
- Tap it 7 times quickly
- Open Settings
- Tap "About phone"
- Find "Build number"
- Tap it 7 times quickly
Now you need to turn on USB Debugging. This allows your computer to communicate with your phone.
- Open Settings
- Scroll down to "Developer options" (it's now visible after Step 3)
- Tap "Developer options"
- Scroll down to "USB debugging"
- Toggle it ON
- Tap "OK" on the warning popup
- Open Settings
- Tap "Additional settings"
- Tap "Developer options"
- Scroll down to "USB debugging"
- Toggle it ON
- Tap "OK" on the warning popup
- ALSO toggle on "Install via USB" (scroll down to find it)
- Open Settings
- Tap "System"
- Tap "Developer options"
- Scroll down to "USB debugging"
- Toggle it ON
- Tap "OK" on the warning popup
- Plug your USB cable into your phone and your computer
- On your phone, you may see a popup asking about the USB connection mode
- Select "File Transfer" or "MTP" (not "Charging only")
- You may see a popup asking "Allow USB debugging?"
- Check "Always allow from this computer"
- Tap "Allow"
Important: If you don't see the "Allow USB debugging" popup, it will appear when you first run an ADB command. Don't worry, just continue to the next step.
- On your computer, press the Windows key on your keyboard
- Type
powershell - Click "Windows PowerShell" (you can use regular, not Administrator)
- A blue/black terminal window will open
- Navigate to the platform-tools folder by typing:
cd C:\Users\YourName\Downloads\platform-tools-latest-windows\platform-toolsReplace
YourNamewith your actual Windows username. If you're not sure, typewhoamiin PowerShell and it will show you.
- Verify you're in the right folder by typing:
lsYou should see adb.exe and phone-forensics.ps1 in the list.
Before running the scan, let's make sure your computer can see your phone.
- In PowerShell, type:
.\adb devices-
Look at your phone screen - you may see the "Allow USB debugging?" popup now. Tap "Allow" .
-
Run the command again:
.\adb devices- You should see something like:
List of devices attached
ABCD1234XYZ device
If you see device next to a serial number, you're connected. If you see unauthorized, check your phone for the Allow popup and tap Allow.
If you see nothing (empty list), try:
- Unplug and replug the USB cable
- Try a different USB cable (some cables are charge-only and don't transfer data)
- Make sure USB debugging is ON (Step 4)
- Make sure your phone is set to "File Transfer" mode (Step 5)
Now run the scan. First, allow the script to execute:
Set-ExecutionPolicy -Scope Process -ExecutionPolicy BypassThis is safe - it only applies to this one PowerShell window and resets when you close it.
.\phone-forensics.ps1 -FromDate "2026-03-28"Replace
2026-03-28with the actual date your phone was confiscated , in YYYY-MM-DD format.
.\phone-forensics.ps1 -FromDate "2009-01-01"Warning: A full scan of all apps takes 10-20 minutes. A date-specific scan takes 2-5 minutes.
.\phone-forensics.ps1 -FromDate "2026-03-28" -SkipPlayCheckFirst, get a free API key from https://www.virustotal.com/gui/join-us
.\phone-forensics.ps1 -FromDate "2026-03-28" -VTApiKey "your_api_key_here"Note: The free VirusTotal API allows 4 requests per minute. This makes the scan much slower but gives you malware detection results from 70+ antivirus engines.
The scan shows results in real-time in the terminal with color coding:
| Tag | Verdict | Meaning | Action |
|---|---|---|---|
[!!!] |
SPYWARE | Matches known spyware database | Stop using phone. Factory reset immediately. |
[!! ] |
DANGEROUS | Sideloaded + high permissions + not on Play Store | Investigate and likely remove |
[ ! ] |
SUSPICIOUS | Unexpected source or permissions | Review manually |
[ ~ ] |
LEGITIMATE | Known app, minor flags | Probably safe |
[ OK] |
SAFE | Verified on Play Store, from official source | No action needed |
[SYS] |
SYSTEM | OS or manufacturer component | Do not touch |
The scan creates 4 files in the same folder:
| File | What It Contains |
|---|---|
forensic-report_*.txt |
Full detailed report with all findings |
forensic-verdicts_*.txt |
One-line-per-app verdict summary (quick review) |
forensic-permissions_*.txt |
Full permission audit for every non-system app |
forensic-apps_*.csv |
Spreadsheet you can open in Excel with all data |
- STOP using the phone immediately - do not enter any passwords
- Do NOT try to uninstall the spyware - preserve evidence first
- Take screenshots of the scan results
- Factory reset the phone from Settings or Recovery Mode
- Change ALL passwords from a different, clean device
- Contact for help:
- Access Now Digital Security Helpline : security@accessnow.org
- Amnesty International Security Lab : https://securitylab.amnesty.org
- Citizen Lab : https://citizenlab.ca
- Check if you installed the app yourself
- If NOT, remove it:
.\adb shell "pm uninstall com.example.suspicious.app"Replace
com.example.suspicious.appwith the actual package name from the report.
- Check the VirusTotal link in the report for malware detections
- Consider factory reset if the app was installed while your phone was confiscated
- Review the app - do you recognize it? Did you install it?
- Check when it was installed - does the date match when your phone was in someone else's possession?
- Click the VirusTotal link to check the hash
- If unsure, remove it with the uninstall command above
If you find an app that needs to be removed:
.\adb shell "pm uninstall com.example.app.package.name"You should see Success as the response.
To verify it was removed:
.\adb shell "pm list packages" | Select-String "example"If nothing comes back, the app is gone.
When you're done scanning, you can turn off Developer Mode:
- Open Settings on your phone
- Go to Developer options
- Toggle the switch at the top to OFF
- This disables USB debugging and all developer features
The scanner may flag some apps as HIGH or SUSPICIOUS that are actually safe. Common false positives include:
- System apps from your phone manufacturer (Samsung, Xiaomi, etc.) - these show as "sideloaded" because they come pre-installed in firmware, not from the Play Store
- Carrier-branded apps (Vodafone, Orange, T-Mobile setup wizards) - pre-installed by your mobile carrier
- Factory test tools (fingerprint sensor tests, hardware diagnostics) - leftover tools from manufacturing
The scanner handles most of these automatically by recognizing 70+ system package prefixes and treating factory-date apps (2009-01-01) as system components. If you see a SUSPICIOUS verdict on an app installed at 2009-01-01, it's almost certainly a system component.
Perseus Shield checks for signatures from these known threats:
| Threat | Developer | Known Targets |
|---|---|---|
| Pegasus | NSO Group (Israel) | Journalists, activists, heads of state |
| Predator | Intellexa/Cytrox (EU) | Politicians, journalists |
| Monokle | Special Technology Center (Russia/FSB) | Russian citizens, Ukrainian supporters |
| Hermit | RCS Lab (Italy) | Activists in Italy, Kazakhstan |
| NoviSpy | Serbian BIA | Serbian civil society |
| FinFisher/FinSpy | Gamma Group (Germany) | Activists worldwide |
| Candiru/DevilsTongue | Candiru (Israel) | Journalists, activists |
| Reign | QuaDream (Israel) | Civil society |
| Graphite | Paragon Solutions (Israel) | Journalists in EU |
| Android.Backdoor.916 | Unknown (Russia-linked) | Russian business executives |
| + 15 stalkerware families | Various | Domestic abuse victims |
Yes. The script only reads data from your phone. It does not modify, delete, or install anything. It uses adb shell dumpsys package (which reads package metadata) and adb shell sha256sum (which computes file hashes). These are read-only operations.
It works on any Android phone that supports USB debugging (Android 4.4 and above, which covers virtually all phones made after 2013).
No. This tool is for Android only. For iPhones, use iVerify Basic ($0.99 on the App Store) which can detect Pegasus and other commercial spyware.
The basic scan works offline. Internet is only needed for the Google Play Store verification check and VirusTotal lookups. Use the -SkipPlayCheck flag for fully offline scanning.
- Date-specific scan (e.g., last 2 weeks): 2-5 minutes
- Full device scan: 10-20 minutes (depends on number of apps)
- With VirusTotal API: Add 16 seconds per non-system app (API rate limit)
Standard spyware cannot detect ADB-based scanning. The scan reads package metadata, not app data. However, very sophisticated implants (like Pegasus) that operate at the kernel level could theoretically detect ADB connections. If you suspect Pegasus-level compromise, contact Amnesty Security Lab or Citizen Lab directly.
Package-level scanning cannot detect certain advanced threats like kernel-level rootkits, modified system partitions, or zero-day exploits that don't install visible packages. If your phone was in custody of a technically sophisticated adversary (FSB, NSA, MSS, etc.), consider:
- Running MVT (Amnesty International's Mobile Verification Toolkit) for deeper analysis
- Running iVerify Basic on the device for complementary scanning
- Factory resetting the phone as the most reliable remediation
- Using a new phone for sensitive communications
| Tool | Type | Cost | Best For |
|---|---|---|---|
| iVerify Basic | Mobile app (Android/iOS) | $0.99 | Pegasus/zero-day detection |
| MVT | Command line (Linux/Mac) | Free | Deep forensic analysis |
| Certo AntiSpy | Mobile app (Android) | Free/Paid | Stalkerware detection |
| Anti Spy Detector | Mobile app (Android) | Free/Paid | General spyware scanning |
Perseus Shield is designed to complement these tools, not replace them. It fills a specific gap: fast, transparent, post-confiscation triage with date-specific filtering and plain-English explanations.
This tool is provided for defensive security purposes only . It is designed to help individuals determine if their personal devices were tampered with during lawful or unlawful confiscation. The authors do not provide legal advice. If you believe your rights were violated during a device search, consult a qualified attorney in your jurisdiction.
The spyware signature database is based on public research from Citizen Lab, Amnesty International Security Lab, Lookout, Google Threat Analysis Group (TAG), and other reputable sources. It may not detect previously unknown (zero-day) spyware or custom-built implants.
Contributions welcome. Priority areas:
- Additional spyware IOC signatures
- Expanded system package prefix database for more phone brands
- Translations of the README into other languages (Russian, Arabic, Farsi, Chinese)
- Docker containerized version with web UI
- macOS/Linux support
- Citizen Lab (University of Toronto) - Monokle spyware research and IOCs
- Amnesty International Security Lab - MVT toolkit and Pegasus research
- Lookout Mobile Security - Original Monokle analysis
- Google Threat Analysis Group - Commercial spyware tracking
- iVerify / Trail of Bits - Mobile threat hunting research
- Access Now - Digital security helpline for at-risk individuals
MIT License. See LICENSE file for details.
Free to use, modify, and distribute. If this tool helps you, consider donating to Access Now or Citizen Lab who do critical work protecting people from surveillance.