Kaspersky researchers have unveiled a novel method for detecting advanced iOS spyware, including notorious strains like Pegasus, by analyzing an iPhone’s system logs. The Russian cybersecurity firm developed a lightweight technique that focuses on the Shutdown.log file within the sysdiagnose archive of an iOS device, enabling the identification of infections associated with sophisticated iOS malware.
Kaspersky’s Global Research and Analysis Team (GReAT) discovered that anomalies linked to spyware, such as Pegasus, could be detected by scrutinizing the Shutdown.log file, which retains information from each device reboot. The researchers identified instances of “sticky” processes impeding reboots, a characteristic associated with Pegasus infections. Leveraging insights from the broader cybersecurity community about the behavior of such spyware, Kaspersky’s approach aims to provide a minimally intrusive way to spot potential iPhone infections.
According to Kaspersky, examining the Shutdown.log offers a lightweight means of identifying potential iPhone infections, and when combined with more extensive forensic analysis tools like the Mobile Verification Toolkit (MVT), it can offer reliable evidence of iOS malware. The researchers noted that consistent patterns, such as the involvement of the path “/private/var/db/” in Pegasus infections, were observed. This path is also seen in other iOS threats like Reign and Predator, indicating that the Shutdown.log could assist in uncovering infections beyond Pegasus.
Maher Yamout, Lead Security Researcher at Kaspersky’s GReAT, emphasized the minimally intrusive and resource-light nature of the sysdiag dump analysis, relying on system-based artifacts to identify potential iPhone infections. The researchers believe that this log can serve as a reliable forensic artifact to support infection analysis, especially when combined with other indicators confirmed using tools like MVT.
To simplify spyware detection for users, Kaspersky has developed an open-source self-check tool available on GitHub called iShutdown. This tool extracts, parses, and analyzes the Shutdown.log artifact, and the Python scripts are compatible with macOS, Windows, and Linux systems.
While acknowledging the sophistication of advanced iOS malware like Pegasus, Kaspersky recommends protective measures for users:
1. Reboot devices daily to clear any non-persistent infections.
2. Enable iOS 16’s Lockdown Mode to block known attack vectors.
3. Disable iMessage and FaceTime to reduce the exploit surface.
4. Rapidly install the latest iOS updates to stay ahead of hackers.
5. Avoid clicking on suspicious links in messages and emails.
6. Regularly scan device backups and logs using security tools.
By incorporating these practices into their mobile routines, Apple device owners can reinforce their defenses against spyware and reduce the likelihood of successful attacks. Kaspersky’s innovative approach to detecting iOS spyware showcases the ongoing efforts in the cybersecurity community to stay ahead of evolving threats and enhance user protection in the mobile landscape.
