A daily malware & virus scan, on your device.

Live monitoring catches spyware while it's running and talking. But payloads also sit on disk — dropped, staged, dormant, waiting. So every single day, Helix hashes the files in the places malware likes to live and checks every one against the same live feed of 4,179+ real mercenary-spyware indicators. It catches known payloads on storage, not just in motion. Here's how that scan works, and exactly what it can and can't promise.

1. Why a file scan, when you already watch the network?

Helix's real-time detection engine watches the live surfaces of a compromise: the network connections an implant opens and the processes it runs. That's powerful, but it has a timing blind spot. An implant isn't always actively running and talking. Payloads get staged: dropped onto disk first, then executed later — sometimes on a trigger, sometimes after a reboot, sometimes only when the operator decides it's time. A component might sit dormant for days. A secondary tool might be downloaded and parked, ready for a future phase of an operation.

If you only ever watch live behavior, you can miss the window when the payload is sitting quietly on storage between runs. The daily file scan closes that window. It looks at what's on disk, regardless of whether anything is executing right now. Together, the live watch and the daily scan cover both states a payload can be in — in motion and at rest — so there's no comfortable place for a known component to hide.

2. How hash-based detection works

The scan is built on cryptographic file hashing, and it's worth understanding why that's a reliable foundation. A hash function takes a file — any file, of any size — and produces a fixed-length fingerprint. Change a single byte of the file and the fingerprint changes completely. Two files with the same hash are, for all practical purposes, the same file.

This gives malware detection a precise, unambiguous test. When researchers analyze a confirmed mercenary-spyware infection, one of the artifacts they publish is the hash of each malicious binary or component the implant dropped. That hash is the file's identity. So to check whether a known payload is on your device, Helix simply hashes the files in the locations payloads tend to land, and compares each fingerprint against the list of known-bad hashes in the indicator feed. A match isn't a guess or a heuristic — it's a byte-for-byte confirmation that the file on your disk is a specific file researchers have tied to a specific spyware family.

This is the same principle that traditional antivirus uses, with one important difference in framing: Helix isn't trying to be a general-purpose AV against every commodity virus on earth. It's purpose-built around the mercenary-spyware corpus — the Pegasus-class threats that actually target the people Helix is built for. The feed is curated for the threat that matters, not padded with decades of irrelevant desktop adware signatures.

3. The same 4,179+ indicator feed

The daily scan draws on the very same threat intelligence as the live engine: 4,179+ distinct indicators sourced from Amnesty International's Mobile Verification Toolkit (MVT) and Citizen Lab. Within that corpus, the file-hash and file-path indicators are what power the scan — the fingerprints of binaries and components documented across confirmed infections of Pegasus, Predator (Cytrox), FinFisher, NoviSpy and other mercenary families.

Because it's the same feed that the live engine uses, it gets the same benefit: it grows. Every time researchers publish the analysis of a freshly targeted device, new hashes enter the corpus, and the next day's scan checks against them. Your protection isn't frozen at the moment you installed the app — it tracks the field's collective knowledge. (For more on the feed and where the indicators come from, see the real-time Pegasus detection post.)

4. Why daily — and why on-device

Why daily, specifically? It's a deliberate balance. Hashing files has a cost in time and battery, so scanning every file every second would be wasteful and intrusive. But waiting weeks would leave a staged payload undisturbed for far too long. A daily cadence means that a known component dropped onto your device has, at most, about a day on disk before it's checked against the feed — and it means new indicators published by researchers get applied to your actual files within a day of reaching the app. Fast enough to matter, light enough to live with. You can also trigger an on-demand scan any time you want immediate reassurance — after connecting to a sketchy network, after your device has been out of your hands, or before walking into something sensitive — so the daily rhythm is a floor, not a ceiling, on how often the disk gets checked.

And why on-device? Because the alternative — uploading your files or even just their hashes to a cloud service for scanning — would itself be a privacy and surveillance surface. The whole premise of Helix is that your data lives only on devices you control, with no third party to subpoena, breach or mine. The scan honors that. The hashing happens locally, the comparison happens locally, and nothing about your files leaves the device to perform it. A security feature that quietly created a new exfiltration channel would be self-defeating.

5. The real-world threat it stops

Consider how a real operation often unfolds. The initial exploit lands a small foothold — a loader. The loader's job is to pull down and stage the larger, fuller implant and its supporting components on disk, then execute them. There's a window, sometimes brief and sometimes long, where those staged files exist on storage before or between executions. Some implants are designed to live mostly in memory and re-stage themselves after each reboot, which means there are repeated moments where files touch disk.

The daily scan is built for exactly those moments. If a dropped component matches a known hash, the scan finds it on disk even if the implant isn't actively running when you check — even if the live process watch happened to see nothing at that instant because the payload was dormant. It's the layer that catches the thing that's hiding quietly rather than the thing that's actively misbehaving.

It also catches more pedestrian threats that still matter: a malicious file delivered through a sideloaded app, a poisoned download, a tampered attachment that slipped through. You don't have to be the target of a million-dollar zero-click to end up with a known-bad file on your device. The daily scan is a steady, automatic backstop against all of it — anything whose fingerprint is on the list.

6. Why this matters to you specifically

The same people who are worth surveilling in real time are worth staging a long-game implant against — and the staged, on-disk phase is precisely where a daily scan earns its keep.

• Crypto holders and whales. An operator who wants to drain a wallet often plants tooling and waits for the right moment — a transaction, a travel window, a moment of inattention. A daily sweep means staged tooling doesn't get to sit on your device unnoticed for weeks while the attacker picks their moment.
• Lawyers. A dropped component that quietly harvests document caches and message databases doesn't need to be loud or constantly connected. The daily scan checks the disk where that component lives, not just the network it occasionally uses.
• Family offices and executives. Long-horizon intelligence operations — the kind that watch a deal develop over months — depend on persistence. Persistence means files on disk. A daily scan is a recurring threat to that persistence.
• Journalists and their sources. A staged implant waiting to activate around a publication date is a documented pattern. Catching the staged file before it activates is catching it before it can expose the people who trusted you.
• Anyone targeted. Inheritance fights, divorces, takeovers — these play out over time, and so do the tools deployed in them. A daily backstop matches the tempo of the threat.

7. How Helix implements it

The scan is part of the Helix client and runs automatically on standard iOS and Android, plus Windows, macOS and Linux — no separate app, no manual trigger required, though you can run an on-demand scan whenever you want reassurance. A few implementation choices matter:

• It targets common drop locations. Rather than grinding through every file on the device every day, the scan focuses on the directories and locations where payloads are known to land. That keeps it fast and battery-friendly while covering where the risk actually concentrates.
• It uses the live feed. The hash list it checks against is kept current, so the scan reflects the latest published indicators — not a stale snapshot.
• It's purely local. Hashing and matching happen on-device. Your files, and even their fingerprints, are never shipped off to a cloud.
• It alerts, it doesn't ambush. A hit produces a clear on-screen warning naming the file and what it matched. Helix never silently quarantines, deletes or kills your session on its own — it tells you what it found and lets you decide. Consistent with everything else in the shield: you're in control.

8. The honest limits — read this part

Hash-based scanning is genuinely useful, and it has genuine boundaries. We'd rather you understand them than be surprised by them.

Be clear-eyed about each piece. Polymorphism and recompilation: because a hash changes if even one byte changes, an attacker who recompiles or lightly mutates their payload produces a file that won't match the recorded hash. Hash matching is strongest against reused, unmodified components — which, fortunately, is common, because rebuilding and re-testing tooling for every single target is expensive. But it's not guaranteed. Novel payloads: a never-before-seen component leaves nothing on the list to match. Kernel-level concealment: the deepest implants can intercept the very file-system calls a scanner uses, hiding their own files from any userspace process — including Helix. No tool running in userspace on a stock phone can fully beat that.

So why run it? Because the realistic threat landscape is dominated by reuse. Operators amortize tooling across many targets; the same components show up again and again, which is exactly what makes a published-hash feed effective in the field. The daily scan raises the cost of a long-game operation: an adversary now has to use pristine, never-published, per-target-mutated payloads and operate flawlessly to avoid ever landing a recognizable file on disk — a far higher bar than reusing what worked last time. It's one honest, automatic layer in a posture, working alongside live detection, the mic/camera monitor and the rest. Not a silver bullet. A reliable daily backstop that makes you harder and more expensive to compromise quietly.

Why hashes still beat the alternatives for this threat

You might wonder why Helix leans on hash matching at all when the security industry talks endlessly about behavioral analysis, machine learning and cloud reputation engines. The answer is a deliberate trade-off rooted in what Helix is and who it's for. Behavioral and ML-based detection can, in principle, catch novel threats by their actions rather than their fingerprints — but they do it at a cost the rest of Helix refuses to pay. They are noisy, generating false positives that erode trust until you start ignoring alerts. They are heavy, draining battery and burning cycles. And the cloud-reputation variety works by shipping data about your files and behavior off the device to be scored by someone else's servers — which is itself a surveillance and harvesting surface, the exact thing Helix exists to eliminate. A hash check is the opposite: precise, quiet, cheap, and fully local. For a tool whose threat model is targeted mercenary spyware that overwhelmingly reuses known components, a curated hash feed is the honest sweet spot — high confidence, no false-positive fatigue, no data leaving your device. We'd rather give you a sharp, local check against the real threat than a fuzzy, chatty engine that quietly phones home.

How the scan fits the rest of the shield

It helps to see where the daily scan sits in the whole picture. The live spyware-detection engine covers the network and process surfaces in real time; the daily scan covers the on-disk surface; the mic and camera monitor covers the sensors; network and evil-twin detection cover the wire; device-posture checks cover the risky states an implant needs or leaves behind. No single one of these is the answer. They overlap on purpose, so that a payload that slips past one sensor's timing is caught by another's. A staged file that the live watch missed because nothing was executing gets hashed by the daily scan. An active connection the daily scan can't see because it's a file-at-rest check gets caught live by the network watcher. The redundancy is the point — it's how a layered posture turns individual "strong signals, not guarantees" into a net that's genuinely hard to slip through cleanly. The daily scan is one thread in that net, pulling the on-disk corner tight.

9. The bottom line

Payloads don't only live in motion — they live at rest, staged on disk, waiting. Helix's daily malware and virus scan covers that state: every day it hashes the files where malware lands and checks them against the same live feed of 4,179+ real mercenary-spyware indicators that powers live detection, entirely on-device, with no file or fingerprint ever leaving your control. It won't catch a payload no one has ever published, and it can't out-see a kernel-level ghost. But it denies staged, known tooling the comfortable hiding place it depends on — and against the reuse-heavy reality of mercenary spyware, that's a layer worth having running every single day.

Three tiers, fixed and published: Core $199 · Operator $499 · Sovereign $999. Buy it or don't — no negotiation, no surprises.